PCI DSS and Regulatory Compliance Blog

TJMaxx credit card compromise

January 19th, 2007 Posted in Credit Card Fraud, Merchant

tjmaxx.jpgIt looks like the TJX (TJ Maxx, Marshalls, HomeGoods, A.J. Wright) compromise story has finally hit the news. We have to be sure and only report what is in the public domain so here is our best attempt to do so. (This reminds me of the large compromise in January of 2004.)

The breach at TJX appears to be the most significant one at a retailer since a compromise at an unidentified company — widely believed to be OfficeMax Inc. — led to a worldwide outbreak of debit card fraud last March.

The breach is reported as:

A major component of the PCI standard is a requirement that forbids retailers from storing credit and debit card data on point-of-sale systems. All retailers must ensure that their POS systems are purged of such information, which includes magnetic stripe, PIN and card verification value data

Consumer Affairs reports the term of data compromised:

The hack itself involved the compromise of credit and debit card data … through 2003, and again in the latter half of 2006.

TJX … detected the hack in mid-December 2006.

A TJX press release [PDF] states that “a limited number of credit card and debit card holders whose information was removed from its system.” I don’t know how a compromise lasting potentially 3 years results in a “limited number” of data loss. Maybe they are calculating it as a percent of total credit card numbers accepted over that 3 year period.

In the comments of the ComputerWorld article one person writes:

I was just notified by VISA and my local bank that I am one of the victims of this large Credit Card theft.

They reported that a $ 0.01 charge was made to my card on 1-14-07, followed by a series of six charges the following day. I confirmed that I made none of them, and they immediately disabled the card to stop the use of my stolen card information.

This is very common for credit card fraud to test the card once and then charge large amounts to it the following days. Cards usually only last about 1-2 days before the issuers get savy to it and cancel the card.

FYI for those who were effected.

TJX has set up toll free numbers for customers who may have concerns regarding the breach. U.S.-based customers can call 866-484-6978. The number for customers in Canada is 866-903-1408, while those in the U.K. and Ireland can call 0800-77-90-15.

The idea of a large compromise brings up questions of liability, fines, fees, and penalties. Instead of waiting for liability to be a problem, companies should be focusing on proactive PCI compliance. Avivah Litan, the Gartner analyst who most reports on PCI, quoted that 50% of Level 1 merchants (in the USA) have validated their compliance. This is not the 75% hoped for by Q4′06 but it is a significant number.

canada.jpgUpdate: Hell of a week for online crime

Update: CBC News (Canada) reports that the TJX compromise put at risk many credit card numbers of subsidiaries Winners and HomeSense. (The website also has an aggregate number of identity theft complaints reported in the different providence of Canada in 2005 along with the associated monetary loss. In most cases, identity theft is unrelated to credit card fraud but the numbers are interesting… seems there was only one reported victim in Nunavut.)

It’s believed that as many as two million Canadian Visa card accounts were affected. The hack was discovered in mid-December and included transactions between 2003 and part of 2006.

Update: A LJ member has a Q&A on the TJX compromise.

Update: The Globe and Mail reports that potentially 40 million cards were compromised, 20 million of which could be Visa cards.

Some reports have suggested that more than 40 million credit cards were exposed by the TJX break-in, which would make it one of the largest such incidents to hit North America. Sources said Visa alone is informing partners that 20 million of its cards could be affected, and there are estimates in the financial community that between one million and two million Canadian cards issued by banks and other institutions could have been left vulnerable by the breach. Visa would not confirm the numbers.

The Canadian Imperial Bank of Commerce (CIBC) lost computer data pertaining to 470,000 investors. Soon there after the Privacy Commission got involved:

The federal Privacy Commissioner has launched separate investigations into a pair of massive security breaches that could potentially compromise the personal information of millions of Canadian investors and credit card users.

The CIBC gaffe came just one day after U.S. retailer TJX Cos., whose chains include Winners and HomeSense, said it had been victimized by a hacker who repeatedly broke into its network and stole customer data. The two incidents were unrelated.

Update: Looks like Fifth Third Bank is the acquiring bank for TJX. They would be the instituition fined for any non-compliance or fraud associated with this compromise. Of course the fines could be “passed on” to the merchant.

As of April, Fifth Third was the fourth-biggest processor of bank-issued credit cards in the nation with $138.6 billion in sales passing through its computers, according to The Nilson Report, an industry news and research company in Carpinteria, Calif.

In 2005, data processing accounted for 9.2 percent of Fifth Third’s total revenue. Indeed, TJX isn’t the only major retailer that’s a customer of Fifth Third Bank Processing Solutions, which handles over 17 billion transactions each year. So are Kroger, Nordstrom and Abercrombie & Fitch.

Update: ComputerWorld reports that TJX breach occurred long before it was detected. This should not have been anything new as most breaches occur long before they are detected. In fact, I would not be suprised if they reported that it occurred many more months (12-18) earlier, which is standard for credit card hackers.

The breach occurred as far back as mid-May 2006 but was only discovered in mid-December, said company spokeswoman Debra McConnell.

A Canadian law firm, the Merchant Law Group, filed a class-action lawsuit against Winners and HomeSense, two TJX-owned retailers in Canada whose customers were affected by the breach.

The lawsuit was filed in courts in six Canadian provinces and seeks “financial recovery on behalf of all individuals for whom personal information has been revealed,” a statement posted on the company’s Web site said.

Update: Another personal experience of this data breach “TJX Identity Theft hits me hard

Update: TJX reports the storage of Track 2 data (thanks Ambersail):

TJX hasn’t disclosed what information was compromised. But according to the MBA and other financial industry sources, the retailer appears to have been storing account numbers, expiration dates and other so-called Track 2 data taken from the magnetic stripe on the back of cards. Keeping such data is forbidden under PCI.

Update: Visa reassures cardholders of their Zerio Liability policy, meaning you will not have to pay for fraud (directly.) They have a PDF on What are the details of the recent data compromise at TJX Companies.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 7 Responses to “TJMaxx credit card compromise”

  2. By pinsecurity on Jan 19, 2007

    The PCI SCC has a (brief) official response here:

    https://www.pcisecuritystandards.org/pdfs/pci_security_standards_council_statement_on_recent_data_breaches.pdf

  1. 6 Trackback(s)

  2. Jan 19, 2007: Ambersail Infosec Roundup » Blog Archive » Hell Of A Week For Online Crime
  3. Jan 22, 2007: Procrastination of compliance « PCI and Data Security Compliance
  4. Jan 24, 2007: Scott & Scott Misses the Boat on TJX Data Breach « PCI and Data Security Compliance
  5. Jan 25, 2007: Considerations into Data Security and TJX Data Breach « PCI and Data Security Compliance
  6. Jan 29, 2007: TJX Scam « This Mom’s Life
  7. Feb 6, 2007: Non-Compliance Fees Growing « PCI and Data Security Compliance

Post a Comment