TJ versus TK
Why in the name of all that is holy is it TJ Maxx stateside and TK Maxx in Brit land?
A New England-based supermarket chain has warned of an information security breach that exposed an estimated 4.2 million credit card records. Hannaford said hackers might have accessed customer credit and debit card numbers - but not the corresponding names or addresses - after hacking into systems involving card authorisation …
I'm assuming this is all down to online shopping and not orders made in store right? Why do they need to hold the credit card details of that many cards after payment has been authorised and taken? And if it isn't online, why would they have the corresponding names and addresses for all those people, the two bits of information you're always meant to keep separate?
Or is this my naivety, that once you purchase from a shop the company won't be interested in tracking your shopping habits every step of the way... almost makes me want to move back to cash payment again...
I like to indulge in a bit of traditional English xenophobia and casual racism as much as the next guy, but I can't believe that this is solely a problem for the merkins.
At least when their monolithic corporations put all of their customers at financial risk they have to cough up to it.
>I'm assuming this is all down to online shopping and not orders made in store right?
The article states "after hacking into systems involving card authorisation". That doesn't give any indication as to whether these are in store or not. Chances are the data would travel through the same system irrespective. So to jump on the internet fraud bandwagon at this stage would seem a little hasty/speculative.
>Why do they need to hold the credit card details of that many cards after payment has been authorised and taken?
Who said this occurred AFTER that?
>And if it isn't online, why would they have the corresponding names and addresses for all those people, the two bits of information you're always meant to keep separate?
The article clearly states "Hannaford said hackers might have accessed customer credit and debit card numbers - but not the corresponding names or addresses"
>Or is this my naivety, that once you purchase from a shop the company won't be interested in tracking your shopping habits every step of the way... almost makes me want to move back to cash payment again...
Companies DO track what you buy to build up a marketing profile. It's usually done via storecards rather than credit card data. Certainly, that would be unlawful in the UK and I expect so for the US (that said, the US do have some odd data protection legislation).
Anybody working with Credit/Debit card info will be familiar with the PCI DSS v1.1. This is the standard insisted on by Mastercard/Visa/JCB/Diners/AMEX for handling Credit/Debit Card info.
Unlike many standards i.e. FSA, DPA etc PCI DSS is very definite. It gives actual details of how your system must be set up, and every security professional I've spoken to says it's common sense and would help against info theft.
In fact PCI stated that if TKMaxx had been fully PCI DSS compliant they would not have had the theft via a wireless AP, as it would have been configured correctly.
The main problem is that the PCI especially in EU won't set a definite deadline for compliance. They also have a limit of a $500,000 fine for non-compliance. So for many companies Senior Management won't give it the necessary backing.
If Mastercard/Visa etc really wanted to get PCI adopted, all they need to do is to either reduce their commission for companies that are compliant or increase it for companies that aren't.
Because if it directly affected the bottom line, every CFO would be insisting that PCI was a top priority.
I live in Maine and occasionally shop at the local Hannaford. So I had a lovely talk with my CC company today. Nothing bogus has shown up (yet), but twixt the two of us we'll be keeping several sets of watchful eyes.
I'm bummed that Hannaford a) took so long to discover they had been hacked and b) took as long as they did to come out with it. More full-disclosure is needed here too.
Spectacular announcements about massive data security breaches do the public little good. The implication of these announcements is that some data (i.e., that which are the subject of the announcements) are more exposed than other data. As a practical matter that is false. All personally identifiable data are more or less exposed all the time. And successful exploitation of that data by an identity thief requires a lot of work and luck. Socially responsible data-holders should set a high threshold of proof before concluding that a "data security breach" worthy of announcement has occurred for any given unit of data. (Data-holders should of course consult their attorneys.) http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html
that shops at Hannaford all the time, and am trying to figure out if someone is having a field day with my cash. Still trying to figure out if I need to cancel my account, but nothing has shown up as of yet. My mom thinks it's funny that she had to inform the family tech of such an event. She has an odd sense of humor.
"Spectacular announcements about massive data security breaches do the public little good. "
Seems to be the attitude here in Canada as I can't remember the last time a 'data security breach' received wide coverage and like Steve (We need a disclosure law for the UK) I can't believe they aren't happening on a regular basis.
Why should every one be announced, Benjamin? Because the only way to keep pressure on the bastards to secure information is to constantly wave the threat of embarrassment and possible loss of business as people lose faith.
Actually I don't really think they're capable of being embarrassed so 'loss of business' is probably the only real threat.
I just assisted a friend in a PCI compliance audit and needless to say, the fines that are levied against merchants are NOT equal. TJ Maxx was a wake up call for the entire credit/debit industry (creditors, the processing companies and the service companies that write the transaction handling database software). Did anybody pay a damn bit of attention? No. Did anybody scream for sweeping reform? Hardly. Instead of doing what's right, by protecting the data through encryption, at every level... Or even reducing the number of hops a transaction has to take, between merchant/creditor/consumer, track data, account numbers and personal information gets bounced all over the place.
I must qualify my last sentence based on the fact that only within the last year and a half (in my experience) software publishers are now finally warning merchants of the possible risks in using older software.
The fines and penalties levied against TJ Maxx are no where near the same percentage that are placed on smaller merchants. For example, one business I worked on had approximately 1000 cards and $200,000 worth of fraudulent charges that were ultimately traced back to a compromised and unencrypted POS system they used. Once we got it all secured and mitigated, and went through several PCI compliance reviews, with fines and other associated costs, the business had to pony up almost $100,000. The happened to be more than 10% of their gross annual revenue and if they're lucky and can stay in business, they might become profitable again in 5 or so years.
Yet TJ Maxx has a limit on the amount they're liable for? Sorry, but their entire executive board should be behind bars. And this store gets compromised and roughly 4.2 million cards are potentially compromised? They should be shut down. Period.
Oh, as for the secret service... Unless the fraud amount is less than something in the high 6 digit range, they generally won't even return a phone call. We got more help from the FBI than the Secret Service, but sadly, due to the international nature of all the fraudulent transactions, their hands were somewhat tied.
"Supermarket identity sweep" - best tagline in a while.
Unfortunately, John Q. Public doesn't care about issues like this at all. I remember a story like this only being mentioned in passing on the news channels because the top story was Paris bitching about having to go to jail.
It is possible for merchants to process transaction with just the name, card number, and expiry dates. In practice however very few are prepared to do so because of the extra liability they take on. For example if they go ahead with a transaction minus the cv2 code, the merchant and not the card issuer then becomes liable for chargebacks.