TJX data breach: At 45.6M card numbers, it's the biggest ever
It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to.
Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions after September 2003, TJX said. Also by April 3, 2006, the company had begun to mask payment card PIN data and "some other portions of payment card transaction information" as well as check transaction information, the company said.
"We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided ... we believe that we may never be able to identify much of the information believed stolen," TJX said.
The company has so far spent about $5 million in connection with the breach, although it is hard to say what other costs may be incurred, the company warned. It cited several lawsuits that have been filed against it since the breach was announced. The company was sued recently by the Arkansas Carpenters Pension Fund, one of its shareholders, for its failure to divulge more details about the breach.
Avivan Litan, an analyst with Stamford,Conn.based Gartner Inc., expressed surprise at the scope of the breach. "I had heard rumors that it was bigger than CardSystems, but I was still somewhat shocked it was actually this big."
The number involved in the breach "makes this the biggest card heist ever," she said. "It proves there are still very sophisticated cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems and who have already stolen millions of dollars from consumers and financial institutions," she said.
"If this isn't a wakeup call for stronger card and payment system security, I'm not sure what is," she said.
TJX's disclosure comes just days after six Florida residents were arrested for allegedly launching a multimillion-dollar statewide credit card fraud ring using information stolen from the company. Losses experienced by Wal-Mart Stores Inc. and other retailers because of the fraud have so far totaled at least $8 million.
Related Articles and Opinion
Massive data thefts
- Update: Mastermind of TJX, Heartland breaches to plead guilty
- Alleged data-heist kingpin is a computer addict, lawyer says
- Gonzalez's lawyer to contend he was not the kingpin of Heartland, Hannaford breaches
- Hacking kingpin negotiating plea deal with feds
- Three indicted for hack attacks on Heartland, Hannaford
- TJX data breach: At 45.6M card numbers, it's the biggest ever
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts