Scope of TJX data breach doubles: 94M cards now said to be affected
The company at first said 45.6M accounts had been breached
Computerworld - For anyone who thought that 45 million was an absurdly high number of payment cards to be compromised in a data breach, try 94 million.
That's the total number of cards actually exposed in the breach disclosed by TJX Companies Inc. earlier this year, according to court documents filed yesterday by a group of banks suing the Framingham, Mass.-based retailer over the incident.
The filings, made in federal court in Boston, relate to a dispute over whether the multiple financial institutions who are plaintiffs in the case should be treated as a class or whether each bank would be required to pursue individual cases against TJX. The plaintiffs in the case include the Massachusetts Bankers Association, the Connecticut Bankers Association, the Maine Association of Community Banks and AmeriFirst Bank Inc.
In documents arguing for class action status, the banks claim that the TJX breach affected 94 million separate card holder accounts over a 17-month period -- not 45.6 million accounts, as TJX had disclosed. Quoting figures supplied by the card companies themselves, the bankers said that the breach affected approximately 65 million Visa account numbers and an additional 29 million MasterCard accounts. To date, the losses by card-issuing companies on Visa accounts alone total between $68 million and $83 million, the banks said, citing the Visa information.
"Unlike other limited data breaches where 'pastime hackers' may have accessed data with no intention to commit fraud, in this case it is beyond doubt that there is an extremely high risk that the compromised data will be used for illegal purposes," the bankers said in an affidavit. "Faced with overwhelming exposure to losses it created, TJX continues to downplay the seriousness of the situation."
TJX officials did not immediately respond to a request for comment.
The figures included in the court documents, if accurate, more than double the size of the TJX breach, which had originally been pegged at 45.6 million cards based on estimates from the retailer itself. Even that number represented the biggest-ever compromise of payment card data. The next-closest data compromise is the mid-2005 breach at CardSystems Solutions Inc., which involved about 40 million cards.
The large discrepancy between the numbers supplied by TJX and those from the banks suggest that TJX did not have the log data needed to do a proper forensic analysis of the incident, said Michael Maloof, chief technology officer at Trigeo Network Security Inc., a vendor of security event management tools in Post Falls, Idaho. All too often, he said, companies that don't have processes in place for collecting and storing log data wind up losing the telltale tracks left behind by computer intrusions.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts