http://www.theregister.co.uk/2007/10/24/tjx_breach_estimate_grows/
By Dan Goodin
24th October 2007
The world's largest credit card heist may be bigger than we thought.
Much bigger.
According to court documents filed by a group of banks, more than 94
million accounts fell into the hands of criminals as a result of a
massive security breach suffered by TJX, the Massachusetts-based
retailer.
That's more than double what TJX fessed up to in March, when it
estimated some 45.7 million card numbers were stolen during a 17-month
span in which criminals had almost unfettered access to the company's
back-end systems. Going by the smaller estimate, TJX still presided over
the largest data security SNAFU in history. But credit card issuers are
accusing TJX of employing fuzzy math in an attempt to contain the
damage.
"Unlike other limited data breaches where 'pastime hackers' may have
accessed data with no intention to commit fraud, in this case it is
beyond doubt that there is an extremely high risk that the compromised
data will be used for illegal purposes," read the document, filed
Tuesday in US District Court in Boston. "Faced with overwhelming
exposure to losses it created, TJX continues to downplay the seriousness
of the situation."
TJX officials didn't return a call requesting comment for this story.
The new figures may mean TJX will have to pay more than previously
estimated to clean up the mess. According to the document, Visa has
incurred fraud losses of $68m to $83m resulting from the theft of 65
million accounts. That calculates to a cost of $1.04 to $1.28 per card.
Applying the same rate to the 29 million MasterCard numbers lost, the
total fraud losses alone could top more than $120m.
Research firms have estimated the total loss from the breach could reach
$1bn once settlements, once legal settlements and lost sales are
tallied. But that figure was at least partly based on the belief that
fewer than 46 million accounts were intercepted.
TJX has taken serious flack for allowing the breach to happen. Last
month, Canada's privacy commissioner criticized the company for
collecting too much data and using inadequate means of protecting it.
According to the commissioner's report, TJX believes intruders gained
access through company Wi-Fi networks that employed Wired Equivalent
Privacy (WEP) as the sole means of securing the system.
Security pros have long known the encryption protocol can be cracked
through brute force attacks, sometimes in a matter of minutes.
So far, there have been no arrests directly associated with the breach.
However, six people detained in Florida after using credit card
information stolen from TJX later pleaded guilty to fraud-related
charges.
US law enforcement officials have also taken a keen interest in a
Ukrainian man arrested for selling stolen credit card numbers in online
forums. Many of the stolen accounts belonged to customers whose
credentials were siphoned out of TJX's rather porous network.
The plaintiff's filings came in a legal tussle over whether the bank's
lawsuit should qualify as a class action. TJX is arguing the banks don't
qualify as a class, an outcome that would significantly increase the
costs of pursuing the case. ®
Received on Thu Oct 25 05:07:03 2007