Major US clothing retailer hacked potentially affecting millions

Powered by SC Magazine
 

A major clothing retailer announced Wednesday that hackers accessed its network and stole an unknown amount of credit card information.

TJX Companies a discount apparel and home fashions department store chain that includes T.J. Maxx and Marshalls stores, said in a statement that the extent of the breach remains unknown, although thieves may have been silently pilfering private data for up to three years before their actions were detected in December.

Potentially millions of customers may be impacted, experts said.

"It's yet another example of how attackers have gone pro and really focused on the data," Ted Julian, vice president of marketing and strategy at New York-based data security firm AppSecInc, told SCMagazine.com today.

The breach affects credit card, debit card, check and merchandise return transactions for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the United States and Puerto Rico and Winners and HomeSense stores in Canada.

The incident also may affect customers of Bob's Stores in the United States and T.K. Maxx in the United Kingdom and Ireland.
The company, which has 2,500 storefronts, would not say exactly how many customers are possibly affected.

Ben Cammarata, chairman and acting CEO of TJX, suggested in the statement that customers should monitor their credit card records for unauthorised transactions.

"We are deeply concerned about this event and the difficulties it may cause our customers," he said. "We want to assure our customers that this issue has the highest priority at TJX."

Visa is contacting affected financial institutions to inform them that the cards they issued are involved in the breach, Rosetta Jones, vice president of Visa USA, said today in a statement. She added that all major credit cards accepted by TJX were impacted by the incident.

"Visa is risk scoring all transactions in real-time, helping card issuers better distinguish fraudulent transactions from legitimate ones," Jones said.

Visa has already contacted about 10 banks in Massachusetts, said Bruce Spitzer, a spokesman for the Massachusetts Banking Association, told SCMagazine.com today. That number is expected to significantly rise today as the association, which represents 205 banks in the state, surveys its members, Spitzer said.

He said the incident concerns his organization because banks likely will be left absorbing the costs of fraudulent activity and re-issuing credit cards.

"If a retailer has a data breach because they're sloppy, why does the bank have to absorb all the costs?" Spitzer said. "It could potentially be a very big hit."

TJX has hired several network security providers to determine what personal information was compromised and to implement new safeguards, according to the statement.

"With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems," the statement said, providing no specific details.

"While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores."

Julian would not speculate on what security measures may have been lacking, but he said encryption and activity monitoring solutions could help safeguard companies in this era of silent, targeted attacks.

"People are after your data," he said. "They're much more resourceful. They're much more devious in how they go about it, and the stakes are getting even higher."

TJX is working with law enforcement authorities and credit card providers in an investigation.

Julian said it will be interesting to learn whether TJX was in full compliance with the Payment Card Industry (PCI) standard, which consists of 12 guidelines to protect customer information.

The fact that TJX reported the breach suggests the data was not encrypted, one of the requirements of PCI.

"It's essential for all businesses that handle payment card information adhere to the highest data protection standards for the security and privacy of their customers' financial information," Jones said.

Click here to email reporter Dan Kaplan.


 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1776

Vote
Do you support the abolition of the Office of the Information Commissioner?