YouTube's Itchy Trigger Finger Pulls Down Perfectly Legitimate Video

Ladies And Gentlemen, We May Have A New Winner For Most Credit Card Data Leaked

from the congrats-all-around dept

Fri, Jan 19th 2007 11:02am — Mike Masnick

There was some talk yesterday about how TJX, the parent company for discount clothing stores T.J. Maxx, Marshalls and some others had lost some credit card data after their systems were hacked. Today, additional information is starting to come out suggesting that this may take the lead as the largest single set of compromised credit card data, reaching even beyond the 40 million or so records lost by CardSystems a few years back. Since those responsible for that data loss only got a slap on the wrist, perhaps it's not surprising that others haven't done much to beef up credit card security. In fact, another article on this story claims that, despite strict guidelines from Visa and Mastercard for how this type of data needs to be handled only 31% actually comply with the guidelines -- and apparently TJX is among those who don't comply (big surprise there). Since it's apparent that not much has happened in the past few years to better protect our data, expect plenty of fretting over what this means and how to do a better job... until enough people forget about it, and we're all set up for a year or two down the road when we'll have a new winner in the largest single data leak ever.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 19 Jan 2007 @ 11:22am

If you didn't know better, you would think that people within corporations that control large amounts of credit card data are actually colluding with the Russian mob that buys the consumer data.

Why not? The chance of criminal prosecution for "accidentally" losing the data is zero. Hell, there aren't even any risks from civil litigation. And I'm sure that you can set up a nice offshore account with the proceeds from the sale of 40-50 mill credit card numbers.
[ link to this | view in chronology ]
Morgan, 19 Jan 2007 @ 11:23am

Visa/MC Need to Enforce
Before we end up with some ridiculous legislation on this, Visa/MC needs to hammer these vendors until they comply. The alternative is sooo, so much worse. Some kind of card 'rights' SarbOx bill.

Visa/MC are relentless and remorseless on chargeback decisions, you'd think they could get the same people onto compliance.
[ link to this | view in chronology ]
whoa there, 19 Jan 2007 @ 11:29am

FUCK FUCK FUCK SarbOx
and that's all I have to say about that
[ link to this | view in chronology ]
Anonymous Bum, 19 Jan 2007 @ 11:30am

I remember
when I got the letter from my merchant account(visa/mastercard) detailing how I would have to comply with their new rule or not store the data. We chose not to store because it was cheaper than complying. I should have just ignored their memo like everyone else.
[ link to this | view in chronology ]
misanthropic humanist, 19 Jan 2007 @ 11:30am

oops
One leak is understandable. Twice is careless. Forty Million really needs looking at. I wonder if this isn't some ploy to render the credit card "honour system" void and mandate draconian ID requirements.
[ link to this | view in chronology ]
me, 19 Jan 2007 @ 11:43am

credit cards
Yet another reason i don't use credit cards
[ link to this | view in chronology ]
Amerin, 19 Jan 2007 @ 12:03pm

Well I think they should be held responsible
Any business that stores Credit card data, short of processing the transaction, should be held responsible when they have a leak, and 40 million credit card numbers go off into the ether. You should be allowed to SUE the crap out of the company that allowed the leak!

If you have ever had your identity riped off and what a hassle it is to get it cleaned up! Its a freaking nightmare!

Those companies that just shrug off security of the data loss, after a few people win some large sums for pain and suffering, and let me tell you dealing with false info on your credit history is a night mare to fix !
[ link to this | view in chronology ]
s short, 19 Jan 2007 @ 12:08pm

hacked credit card info
It'll be a cold day in hell before I go back in a T.J. Maxx or Marshalls
[ link to this | view in chronology ]
Leaky Pete, 19 Jan 2007 @ 12:14pm

What's a feller to do?
What's the course of action should your name be one of those 40 million? Is alerting your credit card company to the possibility of your info being leaked necessary? Does that alert get reflected negatively somehow on one's credit history?

Does this leak apply only to those that have a TJX card or is it also applicable to anyone who has charged a purchase at their stores?

The info holding company should be liable for info theft. Especially as those who've provided said information have done so with the expectations of that information being held securely.
[ link to this | view in chronology ]
Greg, 19 Jan 2007 @ 12:15pm

Any business that stores Credit card data, short of processing the transaction, should be held responsible when they have a leak

Yeah, I really don't get why they were storing that data anyway. They obviously need some work on the HOW of their storage, but really, why was that data even there, in the first place?
[ link to this | view in chronology ]
Morgan, 19 Jan 2007 @ 12:18pm

I wonder if I got hit here
Anyone know when this actually happened? Because for the first time ever I had fraudulent charges around the turn of the year.

I would love if that were the case, not for any damages (I got a hold of the vendors before anything was sent) but just for the explanation. The only charge that ended up finalizing was like $100 fortunately.

I like to think I'm very careful online and it was definitely disquieting to see charges someone else placed on my bank statement.
[ link to this | view in chronology ]
Pesti, 19 Jan 2007 @ 12:19pm

Here we go...
While watching the football playoffs along with the rest of
the millions of dedicated fans, Mastercard treats us with that cute little commercial where a fast moving, perfectly run, "Burger Joint" comes to a screeching standstill because some poor schumck has the odasity to use CASH!!! instead of just
swipping a "Preferred credit card"....and of course everyone
in the place gives the guy the evil eye for being different..
All that for a fricken Hamburger!!!!

Think were not being "Prepped" for a more convieniant, and "safer" cashless monetary system?? I'm with oops,
insidious thats the word...
[ link to this | view in chronology ]
- Vogue, 19 Jan 2007 @ 3:31pm
  
  Re: Here we go...
  Point taken Pesti!
  
  I can't believe how many businesses no longer accept checks! It's definitely a first step in something major forthcoming! The reasons businesses are giving for the exclusion of business with checks is getting ridiculous too. I read a sign just today that said it was due to the increased bank costs associated with using checks! My thought on this was 'Don't you have to process a transaction regardless of payment method?' So rather than say they are fumbling idiots in the world of commerce and can't develop a system of checks and balances to keep a few morons from writing hot checks, they simply default to a moronic answer like 'Sorry, costs are too high!'
  
  Buddha and Murphy both say "Don't run business if you can't accept legal tender in all of its forms."
  [ link to this | view in chronology ]
  - idea, 19 Jan 2007 @ 4:51pm
    
    Re: Here we go...
    I see a business opportunity with third-party certification of businesses that don't store CC data, encrypted or not, just a hash of your card data and date of transaction so they can verify the card you provide is the card they credit. Distribute green cert. stickers to businesses who are audited... I see $$$$$
    [ link to this | view in chronology ]
  - Lori, 24 Jan 2007 @ 12:50pm
    
    Re: Re: Here we go...
    There are many dishonest people who hack into computer systems...butt there are MILLIONS and MILLIONS of dishoney people who see nothing wrong with writing a bad check.....and BILLIONS of morons who can not be bothered to balance their checkbooks so they don't even know they are writing a bad chack
    [ link to this | view in chronology ]
- Lori, 24 Jan 2007 @ 12:45pm
  
  Re: Here we go...
  That's a Visa add, not MasterCard
  [ link to this | view in chronology ]
smarter than you, 19 Jan 2007 @ 1:29pm

What do you mean why?
Are you the same retard who tries to return merchandise without a reciept and then get angry because they will only put it back on the card it was purchased with? This is why they store it. Go return something to WalMart. They don't even ask for the card anymore. They do it because you complain if they don't.
[ link to this | view in chronology ]
Good bank, 19 Jan 2007 @ 1:42pm

at least they got it right
My bank acquired the list of CC numbers from this incident that had been leaked, cross referenced it with their members' numbers and reissued cards to each member whose number was compromised. I was irritated when my CC was declined, but happy to find my bank had done the right thing. More banks need to be proactive like this....
[ link to this | view in chronology ]
- Lori, 24 Jan 2007 @ 12:47pm
  
  Re: at least they got it right
  And we (the banks) would LOVE to do that...but it's not free for us to do...
  [ link to this | view in chronology ]
Dam, 19 Jan 2007 @ 1:45pm

Job Opening in Framingham, MA
Wanted: Competent CIO to oversee large multi-store operation. Must be familiar with simple things like SECURITY of stored data. Must also train staff to not answer questions about security over the phone and become vistims of social engineering.

Please send your resume and your first-born to:
TJX's Corporate Headquarters are located in Framingham, Massachusetts:
The TJX Companies, Inc.
770 Cochituate Road
Framingham, Massachusetts 01701
Main Number: (508) 390-1000

We want your first-born because if you screw up, we'll sell him/her to the gypsies.
[ link to this | view in chronology ]
Stand Back, it's Intellectual Blather, 19 Jan 2007 @ 2:03pm

I like it
would like to see the list of leaked...if I'm on there it might mean I can disregard current balance!?
[ link to this | view in chronology ]
Eric, 19 Jan 2007 @ 2:06pm

Lemonade
I sense a business opportunity here....

A company dedicated to handling identity monitoring and repair, paid for by judges decree and settlement money from TJX lawsuit.

Oh wait, involves lawyers....
nevermind.

-Eric
[ link to this | view in chronology ]
Anonomya, 19 Jan 2007 @ 4:46pm

Checks are worse!
'Don't you have to process a transaction regardless of payment method?'

NO! If I hang a sign on my cash register that says "We only accept beer" then you have to pay me in beer if you want to make a purchase. Checks are less secure and more costly to handle than credit cards. Go ahead, use a check. You're giving the clerk and everyone in between who has to touch it your banking account number, your routing number, full name, home address, and usually the name of your spouse as well if it's a joint account. They have it in their hands after you leave and are free to make photocopies, write down that info, etc without anyone knowing. I can't believe people are still using checks!

At least with a credit card, it's in your sight the whole time the clerk has it. Usually receipts only have the last 4 digits. So unless the clerk has some sort of copying device attached to the swiper (or a photographic memory), they have no way of getting your number.

As far as the extra processing cost, think about it. That piece of paper gets stored somewhere until the store has a good sized pile, then someone takes it to the bank, then someone working at the bank has to do data entry and scan your check (they'll do that whether or not you're signed up for electronic statements). That's then got to get stored as an image file in their computer systems, which takes up more space than a simple text string as a result of a credit card transaction would. As a result, banks charge a premium for handling paper checks. This charge gets passed on to the business, and the business can't tell you "Well it's going to cost you $3 more than the next guy because you're using a check" because people who try to use checks freak out at statements like that. They don't understand how much extra processing it takes!

Yet another not to take checks is that any moron can go down to the Staples and buy a color printer and even blank checks. It's so much easier and cheaper to make counterfeit checks than it was even five years ago, so there are a lot more of them floating around. And there is no way to verify funds from a check while the person stands there, like you can do with a credit card.

On top of that, it looks suspicious. With debit cards being handed out like candy, why would someone who has a checking account bother to use a check instead of the debit card? Why carry around checks and waste time in line writing them out if you aren't up to something?

Checks are good for paying relatives or friends, in birthday cards as gifts... and that's about it.
[ link to this | view in chronology ]
- Tyshaun, 19 Jan 2007 @ 10:56pm
  
  Re: Checks are worse!
  Checks are good for paying relatives or friends, in birthday cards as gifts... and that's about it.
  
  I gotta agree with that. I just can't understand why anyone uses a check, except for little grey haired people who are suspicious of credit cards and too scared to carry cash.
  As per security, I've read some studies that show with the amount of counterfeit currency out there, credit/debit cards can actually considered more safe because the available funds can be verified instantly and when stolen they can be cancelled very quickly.
  [ link to this | view in chronology ]
- Wizard Prang, 22 Mar 2007 @ 10:54am
  
  Checks are MUCH worse!
  As an observation, I have found that checks are also the slowest way to pay for anything. When standing in the checkout line, I must confess to a sinking feeling when the person in front of me whips out her (its almost always a woman) checkbook.
  
  It's tough enough packing your goods in the cart while watching the screen to check that the prices charged are correct, but it becomes comedic when you have to juggle pen and checkbook as well.
  
  Then you have the Drivers License inspection and, more often than not, the "gotta-call-a-supervisor" shuffle, which turns comedic into annoying.
  
  And thanks to Check 21, the check will likely clear immediately, if not overnight. The float is history, folks!
  
  And now back to our regularly scheduled programming...
  [ link to this | view in chronology ]
misanthropic humanist, 19 Jan 2007 @ 6:12pm

making a better hash of it
Yes #19, sound reasoning. But it's a fragile position, and one extra level of middlemen that would have to add cost. Eventually security legislation or customer backlash will make this inevitable. What you say is entirely correct though. Post POS transaction data should only be stored as a non-reversible highly salted hash of the card # and a UID provided by the salesman. It then serves all paries for non-repudiation while remaining useless to a theif.

Of course I assume there are smarter scientists than you and I working for banks (that maybe a very dumb assumption :), so the motive for not having this obvious system is one to ponder isn't it?
[ link to this | view in chronology ]
Anonymous Coward, 21 Feb 2007 @ 7:54pm

I work for a quite large retailer (13000+ locations) and did work implementing the credit/debit card processing software. As far as I know, the card numbers don't exist in our system ANYWHERE after it's processed. The POS system stores the number long enough to get authorization, then THROWS AWAY everything except the last four digits. We don't save the expiration date, we don't save the "discretionary data", we don't save any of it. There's no way to leak them, because we don't HAVE them.

Why do retailers want to keep them around? I just don't get it. I understand a health club or similar that has authorization to do recurring charges, but a retail store? WTF?
[ link to this | view in chronology ]
john, 24 May 2007 @ 10:26am

everyone
To know how to hack peoples credit cards in 10 mins or even less in a few easy steps then go on this blog or url.

http://blog.myspace.com/193987950
[ link to this | view in chronology ]
jason, 13 Jan 2008 @ 10:26pm

how to get full info cc!!
To simplify this, here is how it works: Send an Email to confuse a yahoo email, and it takes 3 mins to create a yahoo email account) with complete information of people's credit card information stored in the server in the last 72 hours. This is how you'll get people's
VALID credit card information.
Now you have to do exactly the same as follows:
(Don't send this email this is only an example how to write Hack.)
Please get some valid/true credit card and try!!it useless if use fake cc!!

Send an Email to mailto: server01010@yahoo.com

With the subject: accntopp-cc-E52488 (To confuse the server )

In the email body, write: boundary="0- 86226711-106343" (This is line 1)

Content-Type: text/plain; (This is line 3)

charset=us-ascii (This is line 4, to make the return email readable)
credit card number (This is line 7, has to be LOWER CASE letters)
000000000000000 (This is line 8, put a zero under each number, etc)
name on credit card (This is line 11, has to be LOWER CASE letters)
0000000000000000 (This is line 12, put a zero under each character, hyphen, etc)
CVV number (Three digit number on the back of your card) (This is line 15, has to be LOWER CASE letters)
000 (This is line 16, put a zero under each character, number, letter, hyphen, etc)
address,city (This is line 19, has to be LOWER CASE letters)
0000000000 (This is line 20, put a zero under each character, number, letter, hyphen, etc)
state,country,p.o. box (This is line 23, has to be LOWER CASE letters)
00000000000000000 (This is line 24, put a zero under each character, number, letter, hyphen, etc)
phone number ( put a zero under each character, number, letter, hyphen, etc)
type of card (This is line 27, has to be LOWER CASE letters)
000000000 ( This is line 28, put a zero under each character, number, letter, hyphen, etc)
date (This is line 31, has to be LOWER CASE letters)
000000 (This is line 32, put a zero under each character, number, letter, hyphen, etc)
252ads (This is line 35
Return-Path: (This is line 36, type in your email between )

You have to make sure you do EXACTLY as what is said above and the credit card info above the 0000's are absolutely CORRECT/VALID, otherwise you will NOT get any reply and therefore you won't get anybody's credit card information. Here's a sample email .
Here is an EXACT email which you have to send to server.
(CAUTION ) ! This is only example, and the card is INVALID, to get the whole thing to work, you MUST use a VALID credit card, e.g. YOUR OWN VALID CC)

Send to: server01010@yahoo.com

Subject: accntopp-cc-E52488

Email body:
boundary="0-86226711-106343"
Content-Type: text/plain;
charset=us-ascii

4013993145565451
0000000000000000

jesse d banks
00000000000

523
000

2537 stillwell rd.,des moines
00000000000000000000000

la,usa,50567
0000000000

645-867-9950
00000000000

visa
0000

03/2006
0000000

252ads8> Return-Path:

This may take a few minutes but it REALLY WORKS!!! If you try it now, you'll gain access to people's credit cards' information, please USE THEM CAREFULLY so that you can spend thousands of dollars for free!! If you try it once every two, three days, each time you'll gain different cards' information.
I've received about 27 credit card numbers so far. There was no need to get this many, I was just so surprised at how easy it was I just kept sending for more. I've only used 5 numbers so far, on ebay. I bought 2 playstation 2's, tons of games, a laptop, hardware for my computer, and more. This is too easy. I would be selling this, but whats the point. All the money I want is in the Credit Cards. Have fun, and theres no need to get hundreds of numbers, you cant use them all
HACKERS FOREVER!!!!
Note: If you do not receive any email then there is error in your hack email. i.e. The CC information you provided to server is invalid. You should use valid credit card informtion.
[ link to this | view in chronology ]
Someone, 23 Jul 2008 @ 12:03am

Anybody wants to hack the Staples retail store POS?
I know a lot about it and am eager to help.
[ link to this | view in chronology ]