[Dataloss] followup: Bankers association reports fraud resulted from hack of TJX customer data (fwd)

security curmudgeon jericho at attrition.org
Thu Jan 25 03:53:50 EST 2007 


---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
Subject: [ISN] Bankers association reports fraud resulted from hack of TJX customer data

http://www.smh.com.au/news/Technology/Bankers-association-reports-fraud-resulted-from-hack-of-TJX-customer-data/2007/01/18/1168709865048.html

The Sydney Morning Herald
January 25, 2007

Customer data stolen from TJX Cos. by computer hackers has been used to 
make fraudulent debit card and credit card purchases in the United States 
and overseas, the Massachusetts Bankers Association said Wednesday.

The fraudulent purchases have been made in Florida, Georgia, and 
Louisiana, and overseas in Hong Kong and Sweden, the association said.

Nearly 60 banks have reported they've been contacted by credit and debit 
card companies about compromised cards, the association said. The number 
is likely to grow because fewer than half of the association's 205 banks 
have reported to it on the issue.

"We expect that this is going to continue and the fraud may widen," said 
association spokesman Bruce Spitzer. "This is just the first reports we 
have confirmed."

The state association's report of fraud is among the first in the country 
since TJX disclosed the breach last week. On Tuesday, the Vermont Bankers' 
Association said a bank it refused to name had been told by TJX that more 
than 1,600 of the bank's customers had their account numbers compromised.

Framingham-based TJX _ operator of T.J. Maxx and Marshalls discount 
stores, as well as HomeGoods and A.J. Wright in the U.S., Winners and 
HomeSense in Canada, and T.K. Maxx in Britain _ did not immediately return 
a call seeking comment Wednesday.

Last week, TJX said hackers had broken into a system that handles credit 
and debit card transactions, as well as checks and merchandise returns for 
customers in the U.S. and Puerto Rico and may involve customer accounts 
from the United Kingdom and Ireland.

The company said the stolen customer data included information from 2003 
transactions, as well as information from mid-May 2006 through December, 
when the company discovered the breach. TJX has refused to say how many 
customers had their data stolen or accessed.

Avivah Litan, a data security analyst for Garter Inc., said it may be 
difficult for the company to determine the scope of the breach because the 
thieves had a lot of time to sell and circulate the information before the 
hack was discovered.

"They can't put a wall around it," she said. "That's what so disconcerting 
about it."

Credit card companies have noted that consumers are not responsible for 
fraudulent purchases. Spitzer said state banks are notifying customers 
about fraudulent purchases and reissuing cards in some cases.

Spitzer said it's too early to know the number of fraudulent purchases, or 
their costs. But he said the cost to banks of reissuing hundreds of 
thousands of cards alone will be "enormous."

Copyright 2006 AP DIGITAL

More information about the Dataloss mailing list