The potentially massive data theft reported by discount retail conglomerate TJX Companies illustrates the continued efforts of hackers to rob businesses of their most valuable information.
On Jan. 17, the company, based in Framingham, Mass. which operates a handful of North American and European retail chains including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright, reported that a computer systems intrusion may have compromised the personal data of an undetermined number of customers.
TJX officials said that outsiders were specifically able to gain access to the portion of its computer network that retains its customers credit card, debit card and check information, along with data related to merchandise return transactions.
The information involved was drawn from the companys T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico, along with its Winners and HomeSense stores in Canada.
TJX said the data theft may also affect customers of its T.J. Maxx stores in the United Kingdom and Ireland, as well as its Bobs Stores chain in the United States.
TJX operates an estimated 2,500 retail locations in total.
While the company did not reveal how many customers may be affected by the incident, TJX said that a majority of the data involved is related to individuals who shopped at its stores in the United States, Canada and Puerto Rico during 2003, and between May and December 2006.
Company officials said that they have been able to isolate a limited number of credit and debit cardholders whose information was removed from its systems, as well as a smaller group of people whose drivers license details were stolen.
In addition to working with all major credit and debit card firms to help investigate any related fraud, along with law enforcement officials including the U.S. Department of Justice, U.S. Secret Service and the Royal Canadian Mounted Police, TJX said it has directly contacted individuals whose information was known to have been exposed via the intrusion and is offering additional customer support to people concerned that their data may have been compromised.
A number of banks have issued warnings to customers whose data may be involved in the incident, as have the credit card brokers.
TJX said it kept a lid on the details of the intrusion up until now at the request of law enforcement officials. This quiet period has become a common practice as investigators attempt to gather evidence of data incidents before details of the events are made public.
Since the break-in was discovered, TJX said it has “significantly strengthened the security of its computer systems” and hired IT specialists General Dynamics and IBM to help further investigate the intrusion and assess the volume of data that may have been stolen.
“Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems and we believe customers should feel safe shopping in our stores,” Ben Cammarata, chairman of TJX Companies said in a statement.
“Our first concern is the potential impact of this crime on our customers, and we strongly recommend that they carefully review their credit card and debit card statements and other account information for unauthorized use.”
TJX said it is continuing its investigation to determine whether any additional customer information may have been compromised.
Data Theft Versus Hardware
The network intrusion highlights the continued effort of hackers and malware code writers to target massive databases of consumer information which can be sold to other parties to carry out identity fraud and other crimes.
While a majority of the high-profile data incidents reported over the last several years have involved lost or stolen laptop computers, or misplaced backup storage tapes, there have also been a string of incidents which reflect criminal attempts to steal valuable corporate information.
While the event that touched off the current attention on data thefts employed more traditional means of scheming, as scammers merely duped workers at consumer database broker ChoicePoint into giving them access to sensitive records over the phone in Feb. 2005, there have been several other high-profile incidents through which technological means have been used to steal the data.
In April 2005, retailer DSW Shoe Warehouse reported that hackers broke into a company database and stole the names and credit card numbers of approximately 1.4 million individuals, along with checking account information of an additional 96,000 customers.
The event led the company to settle charges levied against it by the U.S. Federal Trade Commission that it had not properly protected the information, and in its financial earnings the firm reported costs between $6.5 million and $9.5 million related to responding to the event.
During the same month, officials at banking giant HSBC North America notified an estimated 180,000 individuals that their General Motors-branded MasterCard account information may have been stolen from point-of-sale terminals at retailer Polo Ralph Lauren.
One of the major catalysts behind the wave of data theft incidents reported over the last several years has been the adoption by at least 33 U.S. states of legislation similar to the California Security Breach Information Act, passed in 2003, which requires businesses to disclose potential data exposure to customers and regulators.
There are currently at least four bills pending on Capitol Hill which seek to establish national data protection measures that have requirements similar to the California bill, known widely by its numeric designation, 1386.
Experts observed that data theft incidents such as the one reported by TJX are far more dangerous to the consumers than the rash of lost or stolen laptops that have also been reported over the last several years.
Dr. David Taylor, vice president of data security strategies at security software maker Protegrity Corp in Stamford, Conn., said there is little doubt that the information stolen directly from computer databases will be utilized in criminal activity more often, and more quickly, than data residing on misplaced equipment.
“The hardware thieves just want to steal the box and sell it in a majority of the cases Ive seen, whereas with the information theft theres a far greater risk of identity fraud, because the criminals have set out to find the valuable data itself,” Taylor said.
“Were seeing that there is also increasingly fast turnaround on the use of the stolen data as thieves know that more companies are keeping a closer eye on their networks and reporting suspicious activity to customers and law enforcement sooner than in the past.”
Despite the growing awareness, and threat, of the data break-ins, Taylor said that many companies that have not directly experienced information thefts remain less likely to improve their defenses. He also believes that many IT security professionals wont recommend additional data protection technologies to their employers because of fears that it will reflect poorly on their previous recommendations.
“Companies that havent had a breach still take the ostrich approach when budgeting for data protection, burying their heads in the sand, and often spend only one-tenth of what we see companies allocating to data security after a breach,” said Taylor.
“Security pros are afraid that pushing hard for additional tools will make their existing work and the technologies theyve purchased look flawed, which is a shame because these people who best understand the technology side of the equation are trying to distance themselves from the problem.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.