[Dataloss] followup: Customer Data Breach Began in 2005, TJX Says (fwd)

[security curmudgeon]

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>
Subject: [ISN] Customer Data Breach Began in 2005, TJX Says

http://www.washingtonpost.com/wp-dyn/content/article/2007/02/21/AR2007022102039.html

By Ellen Nakashima
Washington Post Staff Writer
February 22, 2007

Retail giant TJX, whose stores include discount clothing chains T.J. Maxx 
and Marshalls, said yesterday that a computer-security breach stretched 
back 10 months earlier than the company originally thought, compromising 
credit and debit card data, drivers' license numbers, and names and 
addresses.

The announcement underscores a trend of security breaches involving 
sensitive credit card data and reflects failures to properly secure 
computer systems, to notify customers when breaches occur and to update 
laws for the cyber-crime age, lawmakers and analysts said.

TJX said that while it first thought the intrusion took place from May 
2006 to January 2007, it now thinks its computer system was also hacked in 
July 2005 and on "various subsequent dates" that year. The company, which 
reported the intrusion in January -- a month after it said it discovered 
the breach -- has not said how many customers may have been affected or 
how many customers it has notified.

"We don't have a number for you there. Our work is not finished," 
spokeswoman Sherry Lang said yesterday. More than 50 computer experts are 
helping TJX investigate the breaches, she said.

Banks that issued the credit cards have not said how much they have had to 
cover in fraud-related losses.

More than 30 states have laws that require companies to notify customers 
as soon as possible when a breach has occurred, though most of the 
statutes let companies delay notification while law enforcement agencies 
investigate. A bipartisan group of senators has reintroduced legislation 
that would mandate customer notification and require companies that 
maintain personal information to establish internal policies to protect 
it.

"Americans live in a world where their most sensitive personal information 
can be accessed and sold to the highest bidder, with just a few keystrokes 
on a computer, yet our privacy laws haven't kept pace," Sen. Patrick J. 
Leahy (D-Vt.) said in a statement when the legislation was reintroduced 
this month.

The credit card industry has set up rules for data protection called the 
Payment Card Industry Data Security Standard. They include encrypting 
transmission of cardholder data, regularly testing security systems and 
processes, and restricting access to data to those with a "need to know."

But most large retailers have not complied with the standard, and 
noncompliance is about 80 percent among smaller retailers, said Avivah 
Litan, an analyst with Gartner, an information technology research firm.

Litan said the retailers are not solely to blame. "It's a collective 
problem with collective responsibility," she said. "Certainly the 
retailers have to tighten up their systems, but the banks have to 
strengthen cardholder authentication so even if the data is stolen, it's 
useless."

Security breaches are difficult to quantify accurately. The Privacy Rights 
Clearinghouse, a nonprofit research and advocacy group in San Diego, said 
more than 100 million records of U.S. residents have been exposed by 
security breaches since February 2005.

The privacy group and the nonprofit Identity Theft Resource Center, also 
in San Diego, found that the majority of breaches they have tracked in the 
past few years occurred in government, the military and universities.

One of the biggest breaches occurred in 2005, when 40 million credit card 
numbers, along with name and account information, were exposed by hackers 
who broke into CardSystems Solutions, a credit card processing center that 
handled transfers of payments between the banks that issue credit cards 
and the merchants' banks.

Retailers often keep more data than necessary to process transactions, 
Litan said. They also keep information longer than necessary, she said.

"The CEOs and senior managers of most retailers that are storing data, 
like TJX, have no idea they're storing that data," Litan said. "It's 
basically a legacy of old systems programming." Many retailer systems were 
built in the 1970s and '80s, before there were hackers.

Many banks are frustrated because they are "left having to pay for the 
mistakes of retailers," to cover reissuing cards and any losses due to 
fraud, said Nessa Feddis, senior federal counsel for the American Bankers 
Association.

"Retailers are not protecting the data," she said. "It's not a question of 
notification. It's a responsibility to protect the data."

The bankers typically do not know the scope of retailer breaches because 
of confidentiality agreements between the retailers and the issuing card 
companies, such as Visa and MasterCard.

In Massachusetts, where TJX is headquartered, the Massachusetts Bankers 
Association stopped surveying its members in connection with the TJX 
breach after more than 30 banks were alerted by Visa and Master Card that 
their cards had been compromised by the TJX intrusion, association 
spokesman Bruce Spitzer said.

TJX operates more than 2,400 stores in the United States, Canada and 
Europe. They accept Visa, MasterCard, American Express and Discover credit 
cards.

The company reported yesterday that same-store sales in the fourth quarter 
rose 5 percent from the comparable quarter a year earlier. The quarter 
ended Jan. 27, 10 days after the breach was disclosed.

TJX, which is being sued by customers and banks, also reported that it 
spent $5 million in the fourth quarter to cover costs of the 
investigation, enhance computer security and communicate with customers.

Fourth-quarter profit fell 29 percent, to $205.5 million. Sales rose 9 
percent, to $5.1 billion. For the full fiscal year, TJX profit rose 7 
percent, to $738 million. Sales rose 9 percent, to $17.4 billion.

Copyright 2007 The Washington Post Company