30 states investigating hacking of retailers

[InfoSec News <alerts () infosecnews org>]

http://www.palmbeachpost.com/business/content/business/epaper/2007/02/20/m1a_hack_0220.html

By Pat Beall
Palm Beach Post Staff Writer
February 20, 2007

A posse of 30 attorneys general, including Florida's, is looking into 
how hackers wormed their way into a customer database holding personal 
information on customers of Marshalls, TJ Maxx and HomeGoods.

The thieves didn't just make off with credit card information of patrons 
of the popular retailers, which are owned by a Massachusetts-based 
public company. The illicit bounty included personal checks, debit cards 
and possibly driver licenses.

That's just the kind of information used to steal someone's identity and 
rack up debts on the unsuspecting victim's bank and credit card 
accounts. Already, fraudulent purchases in Florida have been linked to 
the hijacked data, according to the Massachusetts Bankers Association.

"We are looking into what has happened," confirmed Sandi Copes, press 
secretary for Florida Attorney General Bill McCollum. McCollum sits on 
the executive committee of the multistate probe, which is being led by 
the attorney general for Massachusetts.

"Essentially at this stage we are fact-finding," said Emily LaGrassa, 
communications director for Massachusetts Attorney General Martha 
Coakley. "How did the breach occur? Were there measures that could have 
been taken, or were there measures in place?"

At issue is personal information on shoppers stockpiled by The TJX Cos 
Inc., the corporate parent to TJ Maxx, Marshalls and a handful of other 
retail chains. Nineteen of its HomeGoods, TJ Maxx and Marshalls stores 
are in Palm Beach County and along the Treasure Coast.

The $16 billion company (NYSE: TJX, $28.47) announced in January it had 
unearthed evidence of hackers in December.

Although theft of personal information is not new, it rarely garners 
such close attention by the attorneys general. According to a report in 
The Wall Street Journal, the databases that were breached had 40 million 
names. TJX has said the true numbers are much smaller but has not 
disclosed how many customers were affected.

"That is one of the things we are looking at," said LaGrassa, the 
spokeswoman for the Massachusetts attorney general.

TJX is a global retailer with operations in Britain, Canada, Puerto Rico 
and Ireland. Data in those countries also was compromised, according to 
the company.

Then there's "the sheer volume of information retained," said Paul 
Stephens, a policy analyst with the California-based Privacy Rights 
Clearinghouse, a nonprofit advocacy group. "That is one of the important 
issues here."

For instance, the Massachusetts Bankers Association has pointedly asked 
why the retailer was warehousing so much personal data on its customers. 
"It appears that they may have been capturing data that is unnecessary," 
said Daniel Forte, president of the group.

Copes, at McCollum's office, said the company is cooperating.

Even so, questions are popping up about why the company waited a month 
before alerting customers.

When bandits lifted information on 19,000 AT&T Inc. customers last 
summer, company notifications went out within 48 hours. The TJX 
discovery came at the height of the holiday retail buying season, yet 
its announcement wasn't made for several weeks.

The company says it was bowing to the wishes of law enforcement 
authorities who wanted to keep hackers in the dark. Critics have asked 
whether the company was trying to protect seasonal sales.

The largest confirmed wholesale data theft involved 163,000 customers. 
That was the result of a breach of date compiled by ChoicePoint Inc. 
Fallout from that case was a public relations catastrophe for the 
company, which also saw its stock price dip.

ChoicePoint (NYSE: CPS, $39.04) did what it could to stem criticism. For 
example, it offered to pay for one full year of credit monitoring for 
all 163,000 consumers whose personal information was sold.

TJX has not offered to track customers' credit reports.

Stephens said the incident raises a more fundamental question: "Why did 
they need to retain that sort of information and then leave it in a 
place that was networked and could be accessed?"


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss