honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Friday, March 30, 2007

Biggest card data hacking: 45.7M

By Mark Jewell
Associated Press

Retailer T.J. Maxx is one of the companies from which hackers accessed customers' financial data from its computers. Data from at least 45.7 million credit and debit cards were stolen.

ASSOCIATED PRESS LIBRARY PHOTO | February 2007

spacer spacer

BOSTON — A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information.

For the first time since disclosing the theft more than two months ago, the parent company of nearly 2,500 discount stores put a number on how much card data was compromised — and it's a number TJX Cos. acknowledges could go still higher.

Experts say TJX's disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.

"It's not clear when information was deleted, it's not clear who had access to what, and it's not clear whether the data kept in all these files was encrypted, so it's very hard to know how big this was," said Deepak Taneja, chief executive of Aveksa, a Waltham, Mass.-based firm that advises companies on information security.

The case has led banks to reissue cards to customers as a precaution against further fraud beyond cases detected as far away as Sweden and Hong Kong, according to the Massachusetts Bankers Association, which is tracking fraud reports linked to Framingham, Mass.-based TJX, parent company of stores across North America and the United Kingdom.

The only arrests believed tied to the case involve a gift card scam in which 10 people are suspected of buying data from the TJX hackers to purchase Wal-Mart gift cards in northern Florida. The group — who aren't believed to have committed the TJX hack — then used the cards to buy $1 million worth of electronics and jewelry at Wal-Mart's Sam's Club stores, according to Gainesville, Fla., police.

CODES MASKED

Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the Securities and Exchange Commission after business hours Wednesday. TJX did not estimate the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003, to June 28, 2004.

TJX said about three-quarters of the 45.7 million cards had either expired at the time of the theft, or the stolen information didn't include security code data from the cards' magnetic stripes. Starting in September 2003, TJX began masking the codes by storing them in computers as asterisks rather than numbers, the company said.

The filing also said another 455,000 customers who returned merchandise without receipts had their data stolen, including driver's license numbers.

With at least 46 million consumer records accessed, the TJX case outranks the previous largest case tracked by the Privacy Rights Clearinghouse: a June 2005 disclosure by credit card processor CardSystems that hackers accessed accounts of 40 million cardholders.

Clearinghouse director Beth Givens said her San Diego-based consumer advocacy organization's list includes data breaches disclosed after a 2003 California law required companies to notify consumers.

The TJX case "will probably serve as a case study for computer security and business students for years to come," Givens said. "This one could be considered a worst-case scenario."

One reason for that, she said, is TJX's disclosure Wednesday that it believes the hacker or hackers "had access to the decryption tool for the encryption software utilized by TJX."

TJX also said the hacker or hackers used technology last year that could have enabled them to steal card data during the approval process, when data is transmitted to the card issuer without encryption.

TJX also remains uncertain of the theft's size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it.

"There is a lot of information we don't know, and may never be able to know, which is why this investigation has been so laborious," TJX spokeswoman Sherry Lang said.

BREACHED IN 2005

TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from transactions dating to January 2003. TJX didn't find out about the breach until last Dec. 18, when it learned of "suspicious software on our computer systems."

The company then hired outside investigators and notified federal authorities before issuing a Jan. 17 news release. TJX says the monthlong delay in disclosing the breach allowed it to work with security experts to contain the problem.

TJX said in the filing that "substantially all stolen data" from transactions in the period Nov. 24, 2003, to June 28, 2004, were deleted.

Lang said the company was investigating why information stolen earlier in 2003 wasn't routinely deleted.

Deleting such information after transactions "should be standard practice" to guard against theft, said Taneja, the security expert, but many firms nevertheless don't follow through.