[ISN] Data Breach Could Affect Millions of TJX Shoppers

From: InfoSec News (alerts@private)
Date: Sun Jan 21 2007 - 22:25:43 PST


January 19, 2007

Tens of millions of credit and debit cards might have been compromised 
by a computer security breach at the retailer that operates T. J. Maxx 
and Marshalls in what could emerge as the countrys biggest case of 
stolen consumer data.

While the investigation is in its early stages, the number of accounts 
potentially exposed at the TJX Companies could exceed the 40 million 
involved in a data breach at the payment processor CardSystems Solutions 
in 2005, people briefed on the findings said yesterday.

Still, these people cautioned, the total number of accounts at risk 
might be far less if thieves only looked at but did not download the 

TJXs vice president for investor and public relations, Sherry Lang, said 
yesterday that the amount of information removed was substantially less 
than millions, but conceded that many more could have been potentially 

She provided few details of the investigations.

The millions of card accounts compromised, belonging to all the major 
credit card companies, were among a trove of sensitive customer 
information potentially exposed. On Wednesday, TJX revealed that an 
intruder had gained access to a computer system that contained other 
customer information, including drivers license numbers and checking 
accounts linked to transactions for returned merchandise.

Over the last two days, the nations banks and card brands including 
Visa, MasterCard Worldwide and American Express said they were 
monitoring their customer accounts for potential fraud. TJX, which has 
about 2,300 stores in the United States and Canada, suggested that 
customers review their accounts, and it set up a tip sheet on its 
Internet site and a toll-free number 866-484-6978 to handle questions.

Both of TJXs flagship stores were affected, as well as its HomeGoods and 
A. J. Wright stores in the United States, and its Winners and HomeSense 
chains in Canada. The company is still trying to assess whether customer 
data from its 36 Bobs Stores had been affected.

Yesterday, Fifth Third Bank of Cincinnati was identified as the 
sponsoring bank that handles TJXs accounts, which makes it responsible 
for ensuring that the retailer met the industrys data security 

We are not in a position to confirm or deny if we do have a relationship 
with T. J. Maxx, a spokeswoman for Fifth Third, Stephanie L. Honan, 
said. Asked about whether all of its merchants were compliant with the 
rules, she declined further comment.

Fifth Third may be required to cover some of the card issuers losses. 
TJX could also faces hundreds of thousands of dollars in fines from 
government regulators, Fifth Third and the payment associations like 
Visa and MasterCard.

Meanwhile, federal and company investigators tried to untangle what TJX 
called an unauthorized intrusion into its computer system going back at 
least four years. One likely entry point may have been through checkout 
terminals, which are typically connected to the Internet. That could 
enable thieves to obtain sensitive data like that on the magnetic strips 
of credit cards, which security experts advise companies not to keep.

While there was only a single compromise, TJXs statement suggested it 
may have occurred in two waves. During portions of 2003, the company 
suggested, the intruder gained access to credit and debit card 
information that was stored, possibly unencrypted, on its computers. 
>From May to December last year, the disclosure suggests, live data on 
the network may have been accessed in an intrusion using hacker tools.

Hard Drive Lost at Bank

OTTAWA, Jan. 18 The Canadian Imperial Bank of Commerce said Thursday 
that it had lost a computer hard drive containing personal financial 
information for about 470,000 mutual fund customers.

Rob McLeod, a spokesman for the bank, said the drive, a backup for its 
Talvest mutual fund, disappeared while being moved from Montreal to 
Toronto just prior to Christmas holidays.

While the bank immediately notified Canadas privacy commissioner as well 
as its bank regulator, Mr. McLeod said the public announcement was 
delayed by the need to identify the affected customers and to establish 
a call center to handle their inquiries.

The lost records cover current and former Talvest customers and includes 
their names, addresses, signatures, dates of birth, account numbers, 
beneficiary information and social insurance numbers. The bank said it 
has offered to cover any losses related to the missing drive.

Copyright 2007 The New York Times Company

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Sun Jan 21 2007 - 22:31:28 PST