[ISN] TJX breach was twice as big as admitted, banks say

From: InfoSec News (alerts@private)
Date: Thu Oct 25 2007 - 03:07:03 PDT


http://www.theregister.co.uk/2007/10/24/tjx_breach_estimate_grows/

By Dan Goodin
24th October 2007

The world's largest credit card heist may be bigger than we thought. 
Much bigger.

According to court documents filed by a group of banks, more than 94 
million accounts fell into the hands of criminals as a result of a 
massive security breach suffered by TJX, the Massachusetts-based 
retailer.

That's more than double what TJX fessed up to in March, when it 
estimated some 45.7 million card numbers were stolen during a 17-month 
span in which criminals had almost unfettered access to the company's 
back-end systems. Going by the smaller estimate, TJX still presided over 
the largest data security SNAFU in history. But credit card issuers are 
accusing TJX of employing fuzzy math in an attempt to contain the 
damage.

"Unlike other limited data breaches where 'pastime hackers' may have 
accessed data with no intention to commit fraud, in this case it is 
beyond doubt that there is an extremely high risk that the compromised 
data will be used for illegal purposes," read the document, filed 
Tuesday in US District Court in Boston. "Faced with overwhelming 
exposure to losses it created, TJX continues to downplay the seriousness 
of the situation."

TJX officials didn't return a call requesting comment for this story.

The new figures may mean TJX will have to pay more than previously 
estimated to clean up the mess. According to the document, Visa has 
incurred fraud losses of $68m to $83m resulting from the theft of 65 
million accounts. That calculates to a cost of $1.04 to $1.28 per card. 
Applying the same rate to the 29 million MasterCard numbers lost, the 
total fraud losses alone could top more than $120m.

Research firms have estimated the total loss from the breach could reach 
$1bn once settlements, once legal settlements and lost sales are 
tallied. But that figure was at least partly based on the belief that 
fewer than 46 million accounts were intercepted.

TJX has taken serious flack for allowing the breach to happen. Last 
month, Canada's privacy commissioner criticized the company for 
collecting too much data and using inadequate means of protecting it. 
According to the commissioner's report, TJX believes intruders gained 
access through company Wi-Fi networks that employed Wired Equivalent 
Privacy (WEP) as the sole means of securing the system.

Security pros have long known the encryption protocol can be cracked 
through brute force attacks, sometimes in a matter of minutes.

So far, there have been no arrests directly associated with the breach. 
However, six people detained in Florida after using credit card 
information stolen from TJX later pleaded guilty to fraud-related 
charges.

US law enforcement officials have also taken a keen interest in a 
Ukrainian man arrested for selling stolen credit card numbers in online 
forums. Many of the stolen accounts belonged to customers whose 
credentials were siphoned out of TJX's rather porous network.

The plaintiff's filings came in a legal tussle over whether the bank's 
lawsuit should qualify as a class action. TJX is arguing the banks don't 
qualify as a class, an outcome that would significantly increase the 
costs of pursuing the case. ®



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Oct 25 2007 - 03:19:57 PDT