[Dataloss] TJX breach involved 45.7m cards, company reports

James Ritchie james_ritchie at sbcglobal.net
Thu Mar 29 15:45:44 UTC 2007 

FTC will eventually get involved with a suit of unfair business practice
as well for failure to take appropriate security measures to protect
sensitive information.  Choice Point and CardSystems settled with the
FTC for $10 million in civil penalties and $5 million for consumer
redress. Both of these companies also have to have an external audit
performed every 2 years, for 20 years, by an independent security expert
to attest to their controls on the systems.



B.K. DeLong wrote:
> Don't forget there's probably a PCI fine as well as the possibility of
> loss of processing rights.  Though, that would kill TJX, (not that
> they're not hurting already).
>
> On 3/29/07, DAIL, ANDY <ADAIL at sunocoinc.com> wrote:
>   
>> At $30 per card, that's close to $1.3B just in re-issuance costs, in
>> addition to any fines or lawsuits.  They'll never be able to account for
>> the cost of lost business.
>>
>> I'd wager a comprehensive PCI-DSS program looks like a bargain, in
>> hindsight.
>>
>>
>> -----Original Message-----
>> From: dataloss-bounces at attrition.org
>> [mailto:dataloss-bounces at attrition.org] On Behalf Of B.K. DeLong
>> Sent: Wednesday, March 28, 2007 9:13 PM
>> To: lyger
>> Cc: dataloss at attrition.org
>> Subject: Re: [Dataloss] TJX breach involved 45.7m cards, company reports
>>
>>
>> Finally. Glad we finally know.
>>
>> On 3/28/07, lyger <lyger at attrition.org> wrote:
>>     
>>> (Keep in mind that these are credit card NUMBERS, and not PEOPLE...
>>> people often have more than one card.  Attrition's Dataloss Database
>>> (DLDOS) will be updated accordingly)
>>>
>>> http://www.boston.com/business/ticker/2007/03/tjx_breach_invo.html
>>>
>>> At least 45.7 million credit and debit card numbers were stolen by
>>> hackers who broke into the computer systems at the TJX Cos. in
>>> Framingham and the United Kingdom and siphoned off data over a period
>>> of several years, making it the biggest breach of personal data ever
>>> reported, according to security specialists.
>>>
>>> TJX, the Framingham discounter that operates the T.J. Maxx and
>>> Marshalls clothing chains, also reported in a regulatory filing
>>> yesterday that another 455,000 customers who returned merchandise
>>> without receipts had their personal data stolen, including drivers'
>>> license numbers. "It's the biggest card heist ever," said Avivah
>>> Litan, vice president of Gartner Inc. "This was obviously done over a
>>> long period of time, in many locations. It's done considerable
>>> damage."
>>>
>>> [...]
>>> _______________________________________________
>>> Dataloss Mailing List (dataloss at attrition.org)
>>> http://attrition.org/dataloss Tracking more than 158 million
>>> compromised records in 609 incidents over 7 years.
>>>
>>>       
>> --
>> B.K. DeLong (K3GRN)
>> bkdelong at pobox.com
>> +1.617.797.8471
>>
>> http://www.wkdelong.org                    Son.
>> http://www.ianetsec.com                    Work.
>> http://www.bostonredcross.org             Volunteer.
>> http://www.carolingia.eastkingdom.org   Service.
>> http://bkdelong.livejournal.com             Play.
>>
>>
>> PGP Fingerprint:
>> 38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE
>>
>> FOAF:
>> http://foaf.brain-stream.org
>> _______________________________________________
>> Dataloss Mailing List (dataloss at attrition.org)
>> http://attrition.org/dataloss Tracking more than 158 million compromised
>> records in 609 incidents over 7 years.
>>
>> This message and any files transmitted with it is intended solely for the designated recipient and may contain privileged, proprietary or otherwise private information. Unauthorized use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. If you have received it in error, please notify the sender immediately and delete the original and any attachments.
>> _______________________________________________
>> Dataloss Mailing List (dataloss at attrition.org)
>> http://attrition.org/dataloss
>> Tracking more than 203 million compromised records in 609 incidents over 7 years.
>>
>>     
>
>
>   

-- 
James Ritchie
CISA, MCSE, MCP+I, M-CIW-D, CIW-CI, Inet+, Network+, A+

Attachments with this email, not explicitly referenced, should not be opened. Always scan your email and their associated attachments for viruses prior to opening.

This message and any accompanying documents are confidential and may contain information covered under the Privacy Act, 5 USC 552(a), the Health Insurance Portability and Accountability Act (PL 104-191), or the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and its various implementing regulations and must be protected in accordance with those provisions. Unauthorized disclosure or failure to maintain the confidentiality of the information may result in civil or criminal sanctions.  

This e-mail is strictly confidential and intended solely for the addressee. Should you not be the intended addressee you have no right to any information contained in this e-mail. If you received this message by mistake you are kindly requested to inform us of this and to destroy the message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://attrition.org/pipermail/dataloss/attachments/20070329/e3e782a0/attachment.html

More information about the Dataloss mailing list