http://www.nytimes.com/2007/01/19/business/19data.html By ERIC DASH NYTimes.com January 19, 2007 Tens of millions of credit and debit cards might have been compromised by a computer security breach at the retailer that operates T. J. Maxx and Marshalls in what could emerge as the countrys biggest case of stolen consumer data. While the investigation is in its early stages, the number of accounts potentially exposed at the TJX Companies could exceed the 40 million involved in a data breach at the payment processor CardSystems Solutions in 2005, people briefed on the findings said yesterday. Still, these people cautioned, the total number of accounts at risk might be far less if thieves only looked at but did not download the information. TJXs vice president for investor and public relations, Sherry Lang, said yesterday that the amount of information removed was substantially less than millions, but conceded that many more could have been potentially exposed. She provided few details of the investigations. The millions of card accounts compromised, belonging to all the major credit card companies, were among a trove of sensitive customer information potentially exposed. On Wednesday, TJX revealed that an intruder had gained access to a computer system that contained other customer information, including drivers license numbers and checking accounts linked to transactions for returned merchandise. Over the last two days, the nations banks and card brands including Visa, MasterCard Worldwide and American Express said they were monitoring their customer accounts for potential fraud. TJX, which has about 2,300 stores in the United States and Canada, suggested that customers review their accounts, and it set up a tip sheet on its Internet site and a toll-free number 866-484-6978 to handle questions. Both of TJXs flagship stores were affected, as well as its HomeGoods and A. J. Wright stores in the United States, and its Winners and HomeSense chains in Canada. The company is still trying to assess whether customer data from its 36 Bobs Stores had been affected. Yesterday, Fifth Third Bank of Cincinnati was identified as the sponsoring bank that handles TJXs accounts, which makes it responsible for ensuring that the retailer met the industrys data security standards. We are not in a position to confirm or deny if we do have a relationship with T. J. Maxx, a spokeswoman for Fifth Third, Stephanie L. Honan, said. Asked about whether all of its merchants were compliant with the rules, she declined further comment. Fifth Third may be required to cover some of the card issuers losses. TJX could also faces hundreds of thousands of dollars in fines from government regulators, Fifth Third and the payment associations like Visa and MasterCard. Meanwhile, federal and company investigators tried to untangle what TJX called an unauthorized intrusion into its computer system going back at least four years. One likely entry point may have been through checkout terminals, which are typically connected to the Internet. That could enable thieves to obtain sensitive data like that on the magnetic strips of credit cards, which security experts advise companies not to keep. While there was only a single compromise, TJXs statement suggested it may have occurred in two waves. During portions of 2003, the company suggested, the intruder gained access to credit and debit card information that was stored, possibly unencrypted, on its computers. >From May to December last year, the disclosure suggests, live data on the network may have been accessed in an intrusion using hacker tools. Hard Drive Lost at Bank OTTAWA, Jan. 18 The Canadian Imperial Bank of Commerce said Thursday that it had lost a computer hard drive containing personal financial information for about 470,000 mutual fund customers. Rob McLeod, a spokesman for the bank, said the drive, a backup for its Talvest mutual fund, disappeared while being moved from Montreal to Toronto just prior to Christmas holidays. While the bank immediately notified Canadas privacy commissioner as well as its bank regulator, Mr. McLeod said the public announcement was delayed by the need to identify the affected customers and to establish a call center to handle their inquiries. The lost records cover current and former Talvest customers and includes their names, addresses, signatures, dates of birth, account numbers, beneficiary information and social insurance numbers. The bank said it has offered to cover any losses related to the missing drive. Copyright 2007 The New York Times Company _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Sun Jan 21 2007 - 22:31:28 PST