Eleven Charged In Massive TJX Data Loss... But Many Are Still Overseas

from the this-is-hardly-over dept

Wed, Aug 6th 2008 12:45am — Mike Masnick

We've had numerous posts about the massive (some say the largest ever) data breach by TJX, parent company of retailers like TJ Maxx and Marshalls. So, it's certainly worth mentioning the story making headlines that the "culprits" of the breach have been charged in the case, but it shouldn't exactly put your mind at ease about these breaches. After all, the credit card info they accessed (over 40 million cards by most accounts) is still out there, though many card holders have already changed their numbers. But, more importantly, it sounds as though most of those responsible aren't in the US at all and are basically sitting free in Eastern Europe and Asia. Hell, one of those "charged" is only known by his online username, with no indication where he might be located. So, yes, it's good that the feds tracked down some of the folks responsible, but most of them are probably still out there getting access to the credit cards your provider sent you to replace the ones compromised by these guys in the first place.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: credit card theft, data breach, organized crime
Companies: tjx

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Web Search, 6 Aug 2008 @ 3:14am

credit card
Credit card use has been apparently been going down in the United States because of Severe debt incurred by obsessive users. Who knows maybe some of these debts have occurred because of some of these frauds.
A better system needs to be implemented that will prevent massive frauds of this kind. The paypal system should be the proper format for this type of system. This might be combined with some bio information like a finger print. It is a great opportunity for a new security business
[ link to this | view in thread ]
Shohat, 6 Aug 2008 @ 3:39am

Retailers usually take the hit
At the end of the day, Credit Card fraud usually results in merchants being hit with chargebacks. Merchants pay the price of processing and lost goods.

Any credit card user that actually follows the transactions, is highly unlikely to suffer any consequences due to CC fraud.
999/1000 it's the merchants that take the hit.
[ link to this | view in thread ]
McCrea, 6 Aug 2008 @ 3:40am

I didn't realize so many businesses were using wireless networks. That surprises me, but not the results.
[ link to this | view in thread ]
McCrea, 6 Aug 2008 @ 3:43am

Re: Retailers usually take the hit
Customers pay the cost in business.
[ link to this | view in thread ]
TJ EX, 6 Aug 2008 @ 4:24am

How'd It Happen?
The security of the network was clearly the responsibility of the IT management. The people in charge should now be counter clerks at Burger King. Is this too harsh? No. Who else would have taken responsibility for the computing infrastructure.

Think of the breach like this - what would the reaction be if the architectural firm that designs the stores didn't include locks for the doors? Do you think there would be hell to pay from the corporate management?

In cities all over the US war driving is practiced everyday by young geeks. I've even tried it myself, and I'm 55!. Turn on the laptop, fire up Netstumbler and see who's left their network wide open. Is it so hard to understand how serious leaving an unsecured network open is?

TJX should pay every last penny for this breach, as should ANY business that allows this to happen.
[ link to this | view in thread ]
Anonymous Coward, 6 Aug 2008 @ 5:49am

The security of the network was clearly the responsibility of the IT management. The people in charge should now be counter clerks at Burger King.

That's a bad idea. I already have enough trouble getting my order correct by the current staff.
[ link to this | view in thread ]
Formerly anon cow, 6 Aug 2008 @ 7:00am

Re: How'd It Happen?
The security of the network was clearly the responsibility of the IT management.

What IT management? Have you ever seen a tech at any of these stores? Maybe that was the problem. There was NO IT telling these people that wireless is NOT secure. Just someone who got contracted to put up what the customer wants how they want it.
[ link to this | view in thread ]
Overcast, 6 Aug 2008 @ 7:47am

Mixing Money and Computers - particularly ones tied to the internet - has always been and will always be a bad idea.

My main bank account - without a debit card, is as close to inaccessible as it can get. It's easy to just stop at the bank, make a withdrawal and use a pre-paid card for online purchases. I'm not really paranoid at all, just think it's silly to trust computers too much.

If the hacker has my credit card number - he'll have to add money to it first, before he can use it :)
[ link to this | view in thread ]
Kilroy, 6 Aug 2008 @ 8:15am

Re:
I like the way you think. And although someone else said that the business pay the price of cc fraud in a separate post above. I disagree! We all pay the price because the business passes along the price of those losses to the customer in how the retail/wholesale markup or service fee prices are calculated.

The more we can do to prevent these types of crime ... the better off we ALL are in the long run. And in some cases that might mean saying I will not use your wireless Interact machine because I don't know how secure your network is.
[ link to this | view in thread ]
James, 6 Aug 2008 @ 8:21am

Debit Cards
This is why debit cards are EVIL and should NEVER EVER be used as credit cards.

If someone manages to steal your REAL credit card number the liability to the individual is minimal or nill, but if they get your debit card number (even if your bank reimburses you) it could still be a huge PITA.

That aside, credit card companies are aware of this kind of fraud but promote cc use so heavily because even w/some fraud and loss they make so much in interest and fees it more than covers it.
[ link to this | view in thread ]
Abdul, 6 Aug 2008 @ 11:37am

Re: Retailers usually take the hit
What should be done now to the victims of these credit card fraud? I think they deserve to be compensated!! How many of suh fraud are presently going unnoticed remains to be seen. It simply means we are not too ready to combat the growing threat of cyber crime: Unprepared to Fight Worldwide Cyber Crime(http://www.internetevolution.com/author.asp?section_id=593&doc_id=147027&F_src=flftwo)
[ link to this | view in thread ]
Anonymous Coward, 7 Aug 2008 @ 7:33am

Re: Retailers usually take the hit
Good, in this case at least it is the merchants who were at fault. They asked to be trusted with customer information and they did live up to thier (moral) obligation to protect that information.
[ link to this | view in thread ]
Benjamin Wright, 7 Aug 2008 @ 8:59pm

over-reaction
Careful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. --Ben http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html
[ link to this | view in thread ]
Me, 8 Aug 2008 @ 5:40am

Re: Debit Cards
Your conclusion doesn't follow. Our Mastercard-networked debit card numbers were compromised in one of these scams. Bank security called to ask us if we were really buying racks of computer hardware from Singapore, to be shipped to Singapore. No, can't say that we were... The bank replaced the cards and we never saw the charges. According to U.S. federal law, the maximum liability you face in the event of debit card theft is $50, provided you report the theft within 2 days of learning of it. I don't feel that's too much for the banks and credit unions to ask. The liability is staggered - within 3 to 60 days of a bank statement reflecting the problem, you're liable for up to $500. After that, the bank figures you meant to spend the money. After two bank statements that reflected the thefts, I'd say you've been informed... Here's the info, spelled out more formally: http://www.federalreserve.gov/pubs/consumerhdbk/electronic.htm or http://tinyurl.com/5lrkbu . And that's just federal law. Mastercard and Visa are free to cover some or all of that consumer liability. They do expand on it. If you use your debit card over Mastercard's credit network (i.e., signing instead of using the PIN), you're generally not liable for unauthorized transactions, be they in person, by phone, or online. They've got some weasel wording in there, but it's not too bad. http://www.mastercard.com/us/personal/en/cardholderservices/zeroliability.html or http://tinyurl.com/2l5v3m I should point out that these conditions apply whether your Mastercard is a credit card or a networked debit card. So either way, there's the same potential aggravation in the event of theft or fraud. I've lived off debit cards for several years, now. I've rented cars, made hotel reservations, and flown nationally and internationally. I've used them in and out of country. Thus far, no worries. I'm not a Pollyanna. ID theft is real, and as you said, a huge PITA. But credit card fraud is just as much of a pain to sort out as debit card fraud. The only difference in the law's eyes is that you have to actually pay attention to your bank statements, to minimize debit card liability. I just don't think that's too much to ask.
[ link to this | view in thread ]