TJX Is Biggest Data Breach Ever

jcatcw writes "Jaikumar Vijayan reports for Computerworld that TJX is finally offering more details about the extent of the compromise which, at 45.6M cards, is the biggest ever. He has been following the story since it started. The systems that were broken into processed payment card, checks, and returns for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico, and customers of Winners and HomeSense stores in Canada and T.K. Maxx in the U.K. Customer names and addresses were not included in the stolen data. So far the company has spent about $5 million in connection with the breach. Several lawsuits that have been filed against the company, including a suit by the Arkansas Carpenters Pension Fund, one of its shareholders, for failure to divulge more details about the breach."

The Answer is...

[WED Fan]

The simple answer for users, and it exists now: Revokeable Credit Cards.

The long term is separation of credit and banking from the Social Security system.

Example

[Renraku]

Lets say that you're sitting at home one day. You get your credit card statement. Apparently your card is maxed out at $10,000. Your interest rate has tripled and the company is calling you wondering why you spent $10,000 in Bumfuck, India.

Ok, so you're not responsible.

How do you know how they got your info? It could have been from a call center, when you called about double billing you over and over. It could have been when you called your bank, which also has call centers in India. It could have been when you lost your card, someone found it.

Point is, you probably will never know how they got your info. Only that they did. Even if you did find out, could you prove it in a court of law enough to sue TJX?

inevitable

[Anonymous Coward]

Without knowing any details, I would have to say this kind of thing is inevitable. TJX is probably another company which views it's IT staff as nothing more than a cost center with all the expertise they need as being a simple commodity. Why pay somebody with real experience and a proven track record a good salary when you can hire somebody with a bunch of certificates for 1/3 the cost? Or intimidate an H1-B employee into working 75 hours a week?

I wonder if making the upper management personally responsible for losses in cases like these would change their perceptions.

Re:Example

[stratjakt]

You dispute all charges, say you didn't make 'em, and you do this as soon as you find out, before anything can go to collections, and end up on a credit report. You have to be pretty negligent of your own finances to let it go that far.

I have no pity for someone who doesn't at least look at their monthly statements.

The risk to your credit is absolutely minimal if you pay attention, and call the 1-800 number on the back of the card to dispute the claims immediately.

As for suing TJX, you wouldnt. You just get your money back, and the CC company goes after the guy who fraudulently used your card.

I've had my credit card stolen (physically) and dealt with this. At first I was freaked out, "o noes identity theft" and all, but after a phone call I had my money back the next day.

As an epilogue, the moron who took it worked with me, and used it at the gas station across from my work - the station manager had no problem letting our company pres and I check out the tape, and there's dumbass.

In my case he didn't get a chance to spend more than a grand before I phoned the card in, so it was just petty theft. I never had to follow up on it, though, BoA did that.

Re:what OS was it running on ..

[Anonymous Coward]

What does the OS of their web server have to do with what OS thier internal billing systems are using? I've worked plenty of places that had IIS hosted their "find a store near me" web site but used *nix or Big Iron for the systems that did real work such as billing or inventory control.

Systematic Credibility Gap

[ehaggis]

Credit scores, reports and identity are in trouble in the US. It is a large pink elephant in the living room, but no one with any influence wants to admit it. Your credit record can be inaccurate due to:
1. Credit Agency mistake
2. Creditor error
3. Criminal activity
4. Poor security measures by xyz company
5. ???

With each of these is these problems, the onus for repair is on the customer / victim. There is no standard or easy resolution.

Meanwhile...

[jeevesbond]

In other news a story on Microsoft's Get The FUD [microsoft.com] campaign mysteriously disappears, the title was: 'TJX Chooses Windows Over Linux for Reliability and Security'.

I'm joking, but you never know. On a more serious note: what mystifies me is why these companies need to store customers credit card details at all?! Having had experience with POS (Point of Sale) I know that the system should keep these details long enough to complete a transaction, then it should delete it.

Security starts with only keeping the information you need. Courts should be questioning why these companies retained this data in the first place!

watching too many episodes of 24 ..

[rs232]

'The six named people must have had some deep insight to the code on which these systems were running. Maybe they had inside help. If I really wanted to be paranoid I'd suggest that the six named people were caught port-scanning the servers and they're being used as the fall guys so that the real criminals, probably insiders, can slip out the back door'

An interesting exercise in fallacious reductio ad absurdum. Just because they passed the cards don't mean they wrote the code and the Florida police caught them port-scaning the server and only arrested them to give the real criminals time slip out the back door.

Do you seriously think the hackers would drive about Florida trying to pass the stolen cards, especially months after it went public. The six are more likely to be down stream crooks that purchased the stolen card details not realising where they came from.

Re:All encompassing (Score: 5, Interesting :)