Thursday, January 18, 2007

What was TJX thinking?

This type of thing happens so regularly its not even news. Massachusetts based TJX, the parent company of TJ-MAX, Marshalls, HomeGoods and Bobs Store, got hacked, and more than a million credit and debit card information, sometimes with drivers license information, were stolen. More than a million? It sure sounds like they don't know the exact figure, but its growing.

Data going as far back as 2003 was compromised sometime in December 2006, and TJX was working with law enforcement and kept the news hidden until then.

A story in the Boston Globe seems to indicate it was not an insider. Of course, TJX will never share the findings about how this happened, but what were they doing with this data in the first place?

And the magnitude of the breach seems to be growing. Are they playing a "gradual disclosure" game like ChoicePoint? The Massachusetts banker's association doesn't like the scope and duration of data retention.
The bankers' association also questioned why TJX kept credit- and debit-card
information on file for so long. "It appears that they may have been
capturing data that is unnecessary," Daniel J. Forte, the bankers
association president, said in a statement today.

TJX spokeswoman Sherry Lang would not comment on the bankers' association
statement. She reiterated that the company does not yet know of any acts of
fraud related to customers' personal data.
The PCI standard requires protection of stored cardholder data. So what happens if the data is not protected? A slap on the wrist? Not even that.

Oh, by the way, TJX has not offered to provide credit monitoring or any such service. I'd recommend calling TJX at (866) 484-6978 and asking for credit monitoring.