TJX Fighting Hard To Raise The Bar Even Higher For Worst Credit Card Data Leak Ever

from the go-big-or-don't-go-at-all dept

Wed, Feb 21st 2007 4:11pm — Carlo Longino

Last month, TJX, the parent company of retailers T.J. Maxx and Marshalls among others, disclosed that it had lost a ton of customer credit-card and personal information, with some suggesting it could be the biggest breach ever. If you follow these sorts of things, you'll remember that the way they typically go is that the group that's lost the data will disclose a breach, then, after the initial furor has died down, they'll come back a few weeks later and say they lost a whole lot more than they first thought. With that in mind, any guesses as to what TJX has said today? Surprise, surprise -- a ton more information was exposed than the company first disclosed. This sort of leak continues to happen, and nothing gets done to put a stop to it. It doesn't appear that many companies care enough, or have the proper incentives to devote the necessary level of resources to security. But remember what the banks and credit card companies' surveys tell us: these breaches, and identity theft in general, isn't a problem.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

12 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Asian, 21 Feb 2007 @ 5:24pm

first...
I'm glad that I've never shopped at either of those stores.... and whoever says that I.D. theft is not a problem should post their name, S.S.# , D.O.B., address, and mothers maiden name.. i need a vacation that they would "not" be paying for ...
[ link to this | view in chronology ]
Anonymous Asian, 21 Feb 2007 @ 5:25pm

first...
I'm glad that I've never shopped at either of those stores.... and whoever says that I.D. theft is not a problem should post their name, S.S.# , D.O.B., address, and mothers maiden name.. i need a vacation that they would "not" be paying for ...
[ link to this | view in chronology ]
Stu, 21 Feb 2007 @ 6:01pm

Use the Force Luke
I.D. theft is not a problem
I.D. theft is not a problem
I.D. theft is not a problem
I.D. theft is not a problem
These are not the droids you're looking for.
These are not the droids I'm looking for.
[ link to this | view in chronology ]
mee, 21 Feb 2007 @ 8:50pm

Being a T.J. Maxx associate, people often ask me if we've straightened it out. We don't know anything. So stop asking. Also, you can avoid this mess by paying in cash.
[ link to this | view in chronology ]
- bubba, 22 Feb 2007 @ 6:16am
  
  Re:
  hey Mee,
  
  Your company made a huge mistake in collecting and storing data from Track 1 of the credit card strip on the back of each card. That has the CC#, Exp Date and CCV#. What should have been collected is the info from Track 2 which is name and address only, no financial information. Maybe you should go to your manangement and ask them how to address those concerns from customers, like myself included, whose CC were compromised. Oh and dont tell me to pay in cash. I can cancel a stolen credit card....someone rips me off of my cash- cant get that back. If its so tuff to answer peoples questions about this major breach then get out or kindly tell people to address their concerns by calling a 1-800 number. With your angry attitude you really shouldnt be addressing these people anyhow.
  [ link to this | view in chronology ]
Anonymous Coward, 21 Feb 2007 @ 9:52pm

What I don't understand is why these companies with so much data to loose feel that they need to hold onto such sensitive data for the long term, especially if they don't have the security and resources to keep it safe.
[ link to this | view in chronology ]
JSchmidt, 21 Feb 2007 @ 10:06pm

Umm..

Jeffrey Schmidt
525878546
29/07/1987
780 McDonnell Rd, SAN FRANCISCO, CA, 94128
Collins

Ok, so how is this gonna get me a vacation?....
[ link to this | view in chronology ]
- A.J., 21 Feb 2007 @ 10:35pm
  
  Re:
  You, my friend, have got balls of steel.
  [ link to this | view in chronology ]
- Anonymous Coward, 21 Feb 2007 @ 11:04pm
  
  Re:
  "jeffrey" you lied, that's not nice.
  [ link to this | view in chronology ]
Anyonymous jerk, 22 Feb 2007 @ 7:42am

Fine them!
At this point, the authorities need to step in and begin dolling out serious fines for these companies. Identity theft not only hurts individuals, but ultimately causes nationwide economic repurcussions when people start declaring bankruptcy because they can't pay their bills.
(sounding like a poster for ID theft)

It hurts us all!
[ link to this | view in chronology ]
Julian, 22 Feb 2007 @ 9:56am

TJMaxx will be bought out
Visa will force a buyout or a shutdown. Visa did that for CardSystems last year which is now operating under a new name and new management.

Visa has implemented PCI security regulations which is a series of security best practices for the specific security of the cardholder data. If you accept VISA cards you must pass this security audit or negotiate an extension or waiver. VISA is not fooling around anymore.

in_the_industry
[ link to this | view in chronology ]
Anonymous, 25 Feb 2007 @ 7:38am

Prosecute the Real Criminal
I understand the exposure the company has, along with many other companies that have yet to be hacked. Why are we not talking about finding and prosecuting the criminals that stole the information in the first place. I know it's a difficult task, but it must be done, otherwise, other companies will find themselves in this situation.
[ link to this | view in chronology ]