Tweet
Breach of data at TJX is called the biggest ever...45.7 million, at risk....
Breach of data at TJX is called the biggest ever - The Boston Globe
Oh Great!!!!.........
Breach of data at TJX is called the biggest ever
Stolen numbers put at 45 .7 million
By Jenn Abelson, Globe Staff | March 29, 2007
At least 45.7 million credit and debit card numbers were stolen by hackers who accessed the computer systems at the TJX Cos. at its headquarters in Framingham and in the United Kingdom over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists.
Breaking News Alerts .....While details are still sketchy, TJX said unauthorized software placed on its computer systems stole at least 100 files containing data on millions of accounts from systems that process and store transaction information in Framingham and Watford, United Kingdom. Moreover, TJX believes the hackers last year had the capability to steal payment card data from its Framingham system as transactions were being approved. Even the files TJX tried to protect through encryption may have been compromised because the company believes the hackers had access to the decryption tool.
"It's the biggest card heist ever," said Avivah Litan of technology consulting firm Gartner Inc. " It's done considerable damage."
TJX, the discounter that operates the T.J. Maxx and Marshalls chains, also said in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.
The filing provided the first detailed accounting on the breach since TJX publicly disclosed the problem in mid-January. TJX spokeswoman Sherry Lang said about 75 percent of the compromised cards were expired or had data in the magnetic strip masked, meaning the information was stored as asterisks rather than numbers. But the true extent of the damage likely will never be known, Lang said, because of the methods used by the intruder and file deletions by TJX done in the normal course of business.
"We do not know who took this action and whether there were one or more intruders involved," the filing states. "We are engaged in an ongoing investigation of the computer intrusion."
"There's a lot we may never know and it's one of the difficulties of this investigation," Lang said.
The disclosure yesterday comes days after a ring of thieves was arrested in Florida and charged with using stolen credit card numbers to buy more than $8 million worth of gift cards and electronics, allegedly using data from TJX.
TJX, which runs more than 2,500 stores worldwide, is facing an investigation by the Federal Trade Commission and numerous lawsuits from individuals and banks.
In yesterday's filing, TJX for the first time identified Dec. 18 as the date when it first learned of suspicious software on its computer system and provided the most extensive timeline to date of the problem. TJX believes its systems were first accessed in July 2005 and on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. No customer data was stolen after Dec. 18, 2006.
On Dec. 19, the company said, it hired General Dynamics Corp. and IBM Corp. to investigate, and by Dec. 21, they determined a hacker broke into the computer systems and remained active there. The next day, TJX notified the federal authorities, and by Dec. 27 it was confirmed that customer data had been stolen. On Jan. 3, company officials and the US Secret Service met with its contracting banks and payment card and check processing companies to discuss the computer intrusion. On Jan. 13, the company publicly disclosed the breach.
Later that month, TJX presented a briefing to a multistate group of attorneys general and the Federal Trade Commission. In February, the company found evidence that the intrusion of its systems happened earlier than it previously reported.
TJX yesterday said it is sending letters to the estimated 455,000 customers whose driver's license numbers, state identification numbers, or military identification numbers and names and addresses were believed to have been stolen. TJX's Lang said yesterday the company will offer credit monitoring for customers whose driver's license numbers or state identification numbers are the same as their Social Security numbers.
The security breach has already cost the retailer $5 million for the investigation and new computer security, among other efforts, but TJX said it cannot yet estimate total losses. This case represents one of the most aggressive and widespread data security breaches ever, according to several security specialists. The Federal Trade Commission has struck more than a dozen settlements with businesses following data security breaches.
"These guys perpetrated a perfect crime," Ken Steinberg , chief executive of Savant Protection Inc. a Nashua maker of security software, said of the TJX case. "This is what scares the living daylights out of everybody. And this one won't be the last."
Oh Great!!!!.........
Breach of data at TJX is called the biggest ever
Stolen numbers put at 45 .7 million
By Jenn Abelson, Globe Staff | March 29, 2007
At least 45.7 million credit and debit card numbers were stolen by hackers who accessed the computer systems at the TJX Cos. at its headquarters in Framingham and in the United Kingdom over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists.
Breaking News Alerts .....While details are still sketchy, TJX said unauthorized software placed on its computer systems stole at least 100 files containing data on millions of accounts from systems that process and store transaction information in Framingham and Watford, United Kingdom. Moreover, TJX believes the hackers last year had the capability to steal payment card data from its Framingham system as transactions were being approved. Even the files TJX tried to protect through encryption may have been compromised because the company believes the hackers had access to the decryption tool.
"It's the biggest card heist ever," said Avivah Litan of technology consulting firm Gartner Inc. " It's done considerable damage."
TJX, the discounter that operates the T.J. Maxx and Marshalls chains, also said in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.
The filing provided the first detailed accounting on the breach since TJX publicly disclosed the problem in mid-January. TJX spokeswoman Sherry Lang said about 75 percent of the compromised cards were expired or had data in the magnetic strip masked, meaning the information was stored as asterisks rather than numbers. But the true extent of the damage likely will never be known, Lang said, because of the methods used by the intruder and file deletions by TJX done in the normal course of business.
"We do not know who took this action and whether there were one or more intruders involved," the filing states. "We are engaged in an ongoing investigation of the computer intrusion."
"There's a lot we may never know and it's one of the difficulties of this investigation," Lang said.
The disclosure yesterday comes days after a ring of thieves was arrested in Florida and charged with using stolen credit card numbers to buy more than $8 million worth of gift cards and electronics, allegedly using data from TJX.
TJX, which runs more than 2,500 stores worldwide, is facing an investigation by the Federal Trade Commission and numerous lawsuits from individuals and banks.
In yesterday's filing, TJX for the first time identified Dec. 18 as the date when it first learned of suspicious software on its computer system and provided the most extensive timeline to date of the problem. TJX believes its systems were first accessed in July 2005 and on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. No customer data was stolen after Dec. 18, 2006.
On Dec. 19, the company said, it hired General Dynamics Corp. and IBM Corp. to investigate, and by Dec. 21, they determined a hacker broke into the computer systems and remained active there. The next day, TJX notified the federal authorities, and by Dec. 27 it was confirmed that customer data had been stolen. On Jan. 3, company officials and the US Secret Service met with its contracting banks and payment card and check processing companies to discuss the computer intrusion. On Jan. 13, the company publicly disclosed the breach.
Later that month, TJX presented a briefing to a multistate group of attorneys general and the Federal Trade Commission. In February, the company found evidence that the intrusion of its systems happened earlier than it previously reported.
TJX yesterday said it is sending letters to the estimated 455,000 customers whose driver's license numbers, state identification numbers, or military identification numbers and names and addresses were believed to have been stolen. TJX's Lang said yesterday the company will offer credit monitoring for customers whose driver's license numbers or state identification numbers are the same as their Social Security numbers.
The security breach has already cost the retailer $5 million for the investigation and new computer security, among other efforts, but TJX said it cannot yet estimate total losses. This case represents one of the most aggressive and widespread data security breaches ever, according to several security specialists. The Federal Trade Commission has struck more than a dozen settlements with businesses following data security breaches.
"These guys perpetrated a perfect crime," Ken Steinberg , chief executive of Savant Protection Inc. a Nashua maker of security software, said of the TJX case. "This is what scares the living daylights out of everybody. And this one won't be the last."
Comment