Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Banks Report Fraud Spurred By TJX Breach



 By: Matt Hines
2007-01-26
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The Massachusetts Bankers Association reports that regional companies are already experiencing fraud based on the massive data reach reported by retail chain TJX.

BOSTON—Banking industry officials in Massachusetts are reporting that a string of local companies have already observed fraudulent activity related to the massive data breach reported by retail chain TJX Companies on Jan. 17.

Unlike many other highly publicized data losses reported by organizations such as the United States Department of Veterans Affairs, which have not yet been traced to any criminal activity, the information stolen from TJX during two specific incidents in 2003 and 2006 has already been put to use by fraudsters, according to the MBA (Massachusetts Bankers Association).

The MBA reported on Jan. 24 that several banks in the state, which is also home to the TJX corporate headquarters in Framingham, have reported incidents of fraud specifically related to the information that was lifted from the retailers IT systems by unidentified outsiders.

The banking industry group said that it has received reports of fraud carried out on debit and credit card accounts exposed in the data heist in locations including Florida, Georgia, and Louisiana in the United States, and Hong Kong and Sweden overseas. The widespread nature of the criminal activity could indicate that the data has already been passed from the hackers who stole it to people around the globe intent on using it to carry out fraud, a common scenario for the use of stolen personal information.

Several banks doing business in Massachusetts have already reissued credit and debit cards to customers, including Fitchburg Savings Bank, which reported that more than 1,300 of its customers may have been exposed by the TJX incident. Bank of America, the countrys largest retail bank, based in Charlotte, N.C., also confirmed that it is reissuing cards to account holders, although it did not indicate how many of its customers had been affected.

Resource Library:

The MBA said that almost 60 local banks have reported contact with credit card providers about compromised accounts, and officials indicated that the financial services companies are notifying customers and reissuing new cards to many people. The industry group is further cautioning that the number of affected individuals is likely to grow higher as, thus far, less than half of the 205 banks in Massachusetts have reported into the MBA about the situation.

Banks in Vermont and Canada have also reported contact with credit card companies related to the breach.

On Jan. 17, TJX, which operates a handful of North American and European retail chains including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright, reported that a computer systems intrusion may have compromised the personal data of an undetermined number of customers.

TJX officials said that outsiders were specifically able to gain access to the portion of its computer network that retains its customers credit card, debit card and check information, along with data related to merchandise return transactions.

The information involved was drawn from the companys T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico, along with its Winners and HomeSense stores in Canada.

TJX officials said the data theft may also affect customers of its T.J. Maxx stores in the United Kingdom and Ireland, as well as its Bobs Stores chain in the United States. TJX operates an estimated 2,500 retail locations in total.

While the company did not reveal how many customers may be affected by the incident, TJX officials said that a majority of the data involved is related to individuals who shopped at its stores in the United States, Canada and Puerto Rico during 2003, and between May and December 2006.

Company officials said that they have been able to isolate a limited number of credit and debit cardholders whose information was removed from its systems, as well as a smaller group of people whose drivers license details were stolen.

Is the only way to protect yourself to adopt a cash-only mentality? Click here to read more.

In addition to working with all major credit and debit card companies to help investigate any related fraud, along with law enforcement officials including the U.S. Department of Justice, U.S. Secret Service and the Royal Canadian Mounted Police, TJX officials said the company has directly contacted individuals whose information was known to have been exposed via the intrusion and is offering additional customer support to people concerned that their data may have been compromised.

TJX officials said the company kept a lid on the details of the intrusion up until recently at the request of law enforcement officials. This quiet period has become a common practice as investigators attempt to gather evidence of data incidents before details of the events are made public, but some privacy experts have called for shorter delays in the process in the name of helping consumers protect themselves against fraud.

Based on the nature of the breach, and the companys delay in reporting the incident, some experts maintain that TJX was not taking sufficient steps to protect the customer data and should therefore be held liable for any related fraud.

For its part, the MBA is already pushing for new legislation and card association rule changes that would mandate the quick disclosure of data breaches involving personally identifiable information, and place financial liability with the company responsible for the incidents.

While TJX reported the breach publicly, Massachusetts does not currently have a law on the books similar to California 1886, which requires companies in that state to disclose any exposure of sensitive customer data.

Over the last two years, more than 30 U.S. states have adopted similar measures, and Massachusetts lawmakers are planning to reintroduce legislation in 2007 that requires companies both to take additional steps to protect such information and to inform consumers within five business days after a breach is detected.

In addition to helping individuals protect themselves against criminal activity, such requirements would help spare people unsure if their data was involved in a breach from seeking new credit cards, MBA officials said.

"By not disclosing which firm caused the breach, or quickly disclosing it, consumers are needlessly troubled and might feel compelled to take unwarranted action if theyre left in the dark," Daniel J. Forte, chief executive of the MBA, said in a statement. "We hope that long-term, this approach would be the additional motivation that retailers need to enhance the security of their systems and protect consumers, as well as your local bank, which bears the cost for replacing cards and covering the fraud for customers."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.



  Reader Comments: Banks Report Fraud Spurred By TJX Breach
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Matt Hines
 


x}kw"xxD{{}` I%*2oCV2J iz>HwGiJf@-*p>;| `OS{SUuɄ_Ѫx/S}L=FW\3a =JGI{sV2"&<%vȏy$mc7((>-_ߩ۾oOETwdžž"h4"j>wl2 X]jc#7Դu(!$f&]?ZQNKm5ZAq3j__[z\?-mx&l Mf 6ixT.%53iuL|uyJ2,Neޭ_.K`H-@iܸʐLsYaXY|XfXӀ7'1?kC2X~`]V,Y U Շ7|)u$q_ɜ5.Hr Aa)#p?݅EpJq䠉=ش 6,%iJ@{g8  }YtFM)N}%N !F\r/QE KH@!F!8N!8Q%Ku}7pSjCν󠻫fiY(%YWb."#+]WFtW6~j5:y8^$glh|* ]ezbc\ZԷWR0R7V)@|8CU9-b(WZdt Z2h bXvPґ>39?i`@+hӧI:ǘ>Cc6uˊ(>2胎:mX5냉AhnfH4譫Rg&v/R}cJ=AE$7 t"CPIe{ef"S@qOAs L΃bromM^(gEni_h^0h5pppYY?0C]׶}2g gxјu *l@ }tC s\(L7^ " 9DEMi@ P!$TO`r6́lbo(?LHX-Zp։` (=HvO- ysO裲B ^/_b 2[3E$ɤ`0X*? #"09X 4gj hk%sZ!m0*gu8v.-Â*!KJŖgX䐦5rul 30#q!N(0 Phd hRjc["/Zdb?SX|hƋ`@322飁dO,^!͘=eІ:F'(Y Ӟ u9؆;;./=6KQ|ZҋS-ӿi |k۪ փԕ#>` .z*H(AL10ѿY6YbY2+K+UœWPVY'ex)%WLXVc] V6_2}{Gq+қSj8)l4|4O͡vP;R4ʭD֒f]X]۽@r6~iZZ @-ĿeIM-VX5QW0:4)I ܊iYlctzx:Lqa\8=]϶=j :NܙXUMΩr5o}d4l\MJǚvX,9ڹc+  9P8IN*T*g3Sv=Z J8`ۉun[哏LbpAmۙ^:'hV ، M-ڊ0 '6aaKѝ; \79:n-n,KYcyOٖjRR|vh XZeGA.*Ϩfl:2L{9_sWw&m 1XɰXPr~l"zds˰2X.5AGiAt\IRs428p]3Ol4$"Paa0S]rEtQм+<V3;!䆛7!Tcfx:v*w]sT*[Pf;(Q<$& ;ok0ǞgE; #>(apHL`_`@B^}9 &@S\,_Fc ZCSGܔwф.;к$~0 X x@7*(SӞͥj9[%BN.x[ZGmu! $rѾi>Qd'V!Ppj͹u2s=[\(W`~XĔAES؇b_@WTtXΩ9k+ (땿YKNGV32A1"}9OFlq VgZS]Oq+?_;ȡ[7cmg^7UGo&bJ)*ue4, BbIR|={>r7lj%뺯_F[nsUͯydF 3-J3ȭ>qO r;n^CmlؗYԽ@?}誦bC}A2"3P1څ?kF*w5׍3PUfSyr=/ʠjYdvu 胻#1ei #?M[LFzɶ0uPsM7b-?ܵ Ylu'ܫs P"mp0>yGpX/o\qGX߳vJ851fS)(b2H+DUtev'3WLIT=KyRUG4yģT1E2 y $z=nEjЋvc \N; ?4y @QFmo\[KEyXS7|y9~VM6=HTPCV:]}Hc`#*ahhit#򐤏]产j B5j5)`2O\_Iў.|2d: +njBcej `3K?f-8NӴM+6nfD}Pa}d҇NV5IieI˕sZ~ 2aU8NU&.R/&⿿ ?`q=nT%qf}״^LE{{]כW F]6κ孀  vKinΛWKߧ wL.W )^}-<rLA]6ϯX G>9lnˏOM1k&01h$Ǽ8‘! VWf@ 屴oN,SVXS!}-1>ՠ8Fh[Qy~oUkv!ɖtz̝yE9{B*Qov/k_I9] C[ `E/ԩ #^DrIGz\Fdz}SDY#'0^母OoWȘIGD_q+5kNz8s\1[5nTo~&BR^&R8/h13ڏI _"Ts(LZ!*rڞS%CcsOӖO|BBQJ;Q<u?Imv[@7%<2KL'dJ@$ =)!JښI8'"8J542 eI? U4㓈PV IWɂtkW#Ǧ5>ݻ< /.iwn+W: .VH_8_`6OkB HY)o9yb@lb'ťh%w:B|c7`|xSr'fP}@+G"f=4ۨaIbeiZ,ix vIАcݷݬ89!g tLi:jEY fc;rs 羴~/ٻ|Z8w[q*A%sK?G{o[DL; ʷc9O\kcO?a"K ra']Fze_}j.Ό3$g20 ?l;mݭn \ B;DJ<N%>4R]Cfuk%ô§ ,'iƿ_Wc+ޙU2$;lߖ6ւ1v̙[ʈ1WcZ­*n1|kI5%p!$ ~8U{v+pp) ẋ+VxebT?1| cD4nL1.%|3I#ە eHI%E{:!~y Hd!>FDNŅSL=:5,ؖ= H.!wj'm Fc &+>11cp ۜsW7L63h«9/1)IUUM`"kE?7͟zQ3f M&x0vC4B)v/ 1Ȑ ^#9'b.sϼ1"th@(Ml=s~B :ү"Ե[& M0-=Sp6e5H,P;~X9-8J0L/.];?#|):kxXxNJ]'bm^ۃPedPHtXRcWl6`\.aP+hlU(MEx#R#%Y09 ~@9TDZ\R߃ʆ9$zX %v6yĂJg ORH'.BTrл>xG#aGN@C/['YQSRYH-]ݶ4E)I*i;v)Ԥ=c83O!,Vc|:8[Kvƺ۔ڑ,TeQTzqiJ5߷]ΥsjQW7YEՇ@4:n, 4=E -2 wou⻊MRXLIxT܊C߬߬߬߬#||ki$_h:Gr-}kT BIq"cc2 ϭr 8?;"Ŵ`O`c6?ʭ_,1 0ZElI/f=ǻTٕn @" ַg]`s5Ei O`}%{':aؓ^zխnI$7sԩ:R .)G80/H( DB$0qW7&i$ UQyK{1+w.Sgx $]E:x1SVXtV$v(X-F]ݺ薔Pxq36M q`Գz-}ogw ȖsZ|e>]w.a5F3S8_! Rmhҧ#DUGx0ysSP@)OJUWU>Rʁ\{o:1aؙ bP@,F]ݮ:wq%w;fffflYe߶2TPomK(ԓ,6Rqzk_8WV׏-Ku]׶v Q= ^~o :́>eb8K]Q5IT 54>y76E}Sz>)e S /:|j^E~i//m~ #[g4!OE@˫b2_AM x-r=-Dw߁\ベ_3.NdBҏ"u@9 ek>7j_AG-'uˤhgP_ʟc%s6 '!CآAjڅO$tg8. 2à?&LEզ0i#:6M=tcz@~=v'*y1ň<`LE57h/XdT(>AH5˅(PxTuDO 7DD?Zfo|'%â2k(G>?w{9%utGpkDmtlMz ԡ:BEWkrJ -%נ66OݞS#66J=!vm6J=!զvo%zW\A[bKgP•0^ԭUЈ~J}נ# pLK:Ƃfs⥡ <4&ƗXi|瓔IpʬKM4d`+JElN`kuӕǶ5*CXVTa#PɍF.`hydZ{Cqȭ #/|\L;a28c[X鳏bi'r m&09-Nc0ӀOaۡWǪEcjɱI,,O q 8Ij{wn/~ۊKk2F==ά~َT݆D5n͌Ot矗 6@Ppmv#ϗ#=E]t/&iqۏo[ͳ.0$&nX\n3l~ P|?K1}+a¸Ȋ1VԞk9{(0ː7X-Ƹ|͌k!]L_"ƘoŽ)$Qx@O@L)B J Ӵ$7L}P |B[ן($W|Q7n@klҞS;q~ܐZ<Ƕ&??|BǠb. c n+rt`ww9X:P{٣W78z'盇/tX3+b%#(#>> Cd2zވxZ8aBʒW@7˽}H[e'ɃdZ∁o E슃L(bOAqẆּ$Wemt 4>g( $>mGTO09ad^s:0! ȅLMv,#~]^}b`yy7sa%}圭#+ENHSXnPi~(J"W)'Ч ▩eT1,1.kMQ(Vpx ~0&gF=ŸCX!<ۮҹ1")dh`t2h+a [cӚx#Nsy9:KqffYݺuϗpHut(bvqY@y+DLMڠAa~µ!~˦[R&Js% 9߇>laԟؠ9,Թ<(G]ĝ5]wSد򳉾zt39Ỵ2vts\bJLsB4_ Da u}31AAfp)4fꭔՒRR`jO5C [XU|.ݞGedi,f/#:\iL$R&. ?d$-CF쎆dSA%͈ŵ;ѭhj 9kߐ9i4HIymI}7} &XNGݩ;'UyT G_K}eP0,g $U`zʌTNGZc.ͅdEp,i.S9$xG_1]TexZ5L"a^e5DM@ :k!,l+C9=zh؊Jm9 g%^NWaףGM:n:Zh9lPc%S\@AC| i\6N}T׊ek@)!cJkJ ߬?RېNGJϯꍔS?]9K9< fz\߬gzJ>?4R͔d;)_ KVj+e~Z0V[Jo JO J 賕B-V }"^3Nɿ@?R[JɇJ+J66ȟvi|iȗk)o~nR奈奈 M/O@_R3Nˇ}NgBmZ>m B)ݦ_|uk)|Vƍ)IJ~!S=IBEZSZ>lR!?EOiW)Zmu L)/:)^}AV*v=a\ m5nkǨRt24xԾW( V`ʼ7G(YE"Ch`4oD.3$*}`:=WWv+fJX.ߔYnƊ6sLqϜO8Vih _7BX9|.|ޥcFtwZ<'H_5y~Cf' clAptDw9[f'nWfH{` ֫sKk>ÓxwY몮,8“m(>9q}2qٞKjO WYn-J ǡ8Н]h7oA/KOx7+`i~ivT߭Ҹ]k hͦds_)N(~P"D7)4\9CqbBPStou7\1mAԇiIdY_*5-Z,J{ "mz@0ODdU26B0X^"(d@#غ {%}CjY=v͐Ga0VJ!'\BH#tlְ"bΫX#ڼx00aw8a+h;|#?@(sT[F%llBg}9.73y@OFܙsX&3(V"j{oJ-HGsQ{cwt} P3 b<çS7ҝxK$pgB-ҋ[>|He˺]& ;-<= pa:ծ'kf v¶!6*\G'V!M!,9<22sH)P,d#Vo? tuy9$"zW;>X 7aX1h:!ٕnqgxɄ`wƝޔħC0nzZ?YBłĴS&zF{"gu#avl$f̦IG7]Hn5wɌt@7qytϵʹ X^a[ݨ3Kދ_T3Yc͘%&7X/0x6ty'Wx/3ዚS&$l }_I4#{x;!f_^z|q0v=K*_l xdHXRx/!I”]y&#046 僇rBY+.Ġ/>''4wBsVj*v9wiik[4&z-?`3BsL J$ `vLԙjd5L؀5``a?^I (T(z)̸Aϐ\19%)NՌ[#|F+3௚3qyU (pd+D~"uzOMz1LJ1@b Brvu,յZg]J"51b1?0俈x!$k0U6p|!D[gARD~cJ]&*P=eZOm n,/}d-+2lů6A6\Ҋ$ &߇IbHQ@>fvEE3`CQ]jfB`N]?)qmj7;3߼ˎk) GNJp`)F}v=Y uK 76X}FRR^p祎PhU|G 2њ1x}\чee d|%_xƮ~[Axs%9m<`G6$߂*wuw=ZQdERb05yN&f |0FĶR]Ei3{|@  o`PK+Kea$Vudn0S{^)ZuhA1tVBȟa4AL7V`ɟ=zTQޮ7(Gi#-Q`W:*&uywDwo^ Q`WO{dC70* A 1Xqk @;= -0Mr?;]Y,LCi6e1}t0yp BL IQ lv.2X<>Ŵ"&D09'eR:0sh{۟3\TFH6c߷}ftD@ͭŕ]Ag"a?#a^ggybS2w$Y?wf@sOkp|>&:B X+^:7 Neca`.gtVk5/qJC@+`.gQNFPQ, sc*?1ZQ+ŜID#;ou['- k\֓C%_moF'eҰ|M9!VKq+^^.Kˌ.ʱ wk&l 1)|m-k6]-{wg)