DailyTech - Targeted Hack Compromises Credit Database for TJ Maxx, Marshalls

Submit News

Internet Targeted Hack Compromises Credit Database for TJ Maxx, Marshalls
Michael Hoffman (Blog) - January 22, 2007 1:52 AM

E-mail

del.icio.us

4 comment(s) - last by DigitalFreak.. on Jan 22 at 12:53 PM

The security breach of TJX computer systems could impact millions

It's just been disclosed that a hacker stole sensitive data from computer systems used by TJX, parent company of retailers TJ Maxx and Marshalls. HomeGoods, A.J. Wright, Winners and HomeSense stores, all subsidies of TJX, may also be affected.

The hackers targeted systems which TJX uses to handle credit and debit transactions for stores in the U.S. and Puerto Rico, but the company admits its still investigating the full depth of the compromise.

TJX representatives said the security breach occurred sometime in May, but the compromise continued until mid-December. The unauthorized intrusion was initially detected by the company sometime in December but only publicly revealed last week.

Visa USA is providing help to the banks of all affected customers. The Bank of America and American Express are also watching accounts that may be used for fraudulent transactions. TJX has established a helpline for all customers who have questions or concerns about the incident: 866-484-6978 in the United States, 866-903-1408 in Canada and 0800-77-90-15 in the United Kingdom and Ireland.

TJX has not disclosed how many customers were left vulnerable from the security breach, though it states that transactions it knows are compromised occurred between May and December 2006 and transactions in 2003.

TJX urges customers to check their bank transactions for irregular behavior.

Comments

Threshold

Username
Password
remember me

This article is over a month old, voting and posting comments is disabled

Let them be responsible for this.

By crystal clear on 1/22/2007 7:49:14 AM , Rating: 4

The problem is not simple as it sounds.
Time to Act on this .
Make companies responsible for our data protection & SUE them for damages for loss of Data/theft.
Make them PAY for this.

Quote-

In April 2005, retailer DSW Shoe Warehouse reported that hackers broke into a company database and stole the names and credit card numbers of approximately 1.4 million individuals, along with checking account information of an additional 96,000 customers.

The event led the company to settle charges levied against it by the U.S. Federal Trade Commission that it had not properly protected the information, and in its financial earnings the firm reported costs between $6.5 million and $9.5 million related to responding to the event.

During the same month, officials at banking giant HSBC North America notified an estimated 180,000 individuals that their General Motors-branded MasterCard account information may have been stolen from point-of-sale terminals at retailer Polo Ralph Lauren.

One of the major catalysts behind the wave of data theft incidents reported over the last several years has been the adoption by at least 33 U.S. states of legislation similar to the California Security Breach Information Act, passed in 2003, which requires businesses to disclose potential data exposure to customers and regulators.

There are currently at least four bills pending on Capitol Hill which seek to establish national data protection measures that have requirements similar to the California bill, known widely by its numeric designation, 1386.

Experts observed that data theft incidents such as the one reported by TJX are far more dangerous to the consumers than the rash of lost or stolen laptops that have also been reported over the last several years.

http://www.eweek.com/article2/0,1895,2085426,00.as...

Also-

Quote-

Trend Micro's researchers also found the underground marketplace saturated with personal data stolen in phishing attacks and virtual currency hijacked from online gamers.

Genes said the average prices for credit card and bank log-in data can vary dramatically, depending on the bank's brand and the way the data is mapped to names, Social Security numbers, dates of birth and physical addresses.

A custom Trojan capable of stealing online account information can be bought for between $1,000 and $5,000, while a botnet-building piece of malware can cost between $5,000 and $20,000, Genes said.

Credit card numbers with valid PINs are sold for $500 each, while billing data that includes an account number, physical address, Social Security number, home address and birth date can be found for between $80 and $300.

The auction marketplace is also selling driver's licenses for $150, birth certificates for $150, Social Security cards for $100, and credit card numbers with security code and expiration date for between $7 and $25.

PayPal or eBay account credentials are available for $7, Genes said

http://www.eweek.com/article2/0,1895,2073611,00.as...

Unquote-

*Get those HACKERS-its now organized crime - more profitible
than drugs .

*They plant hackers(as workers) into companies to get access
to their computers.

*they catch them(hackers) young (sudents at University)
and finance their educational expenses & more.

* the students have the temptation for some quick hefty
buck (get rich the fast forward way)

The source of this crime leads us in most cases to Russia & China.It all start there -the Home of HACKERS.

RE: Let them be responsible for this.

By Chadder007 on 1/22/2007 9:43:10 AM , Rating: 2

Cash is still the only good way to go. Ive had so much trouble with my credit cards/checking account lately, I think ill just withdraw cash from now on and forget this crap. Its not worth it anymore.

Parent

inside job

By Lazarus Dark on 1/22/2007 10:18:03 AM , Rating: 3

I used to install satellite communications infrastructure for various companies, including tjmaxx. Their credit card verification system is on a closed satellite network through Hughes Network Systems. It is not accessible through regular lines. Therefore, either these hackers are scarily, dangerously smart enough to hack into closed satellite networks, or it was an inside job, not with tjmax, perhaps, but with someone who is (or was) very familiar with the network hughes uses for the credit card verification of their customers. I'd start looking at past and present satellite techs.

(btw, it wasn't me, I'm too busy playing with my new hi def tv)