And it happens again!
As if it weren’t enough that CardSystems exposed 40 million card numbers back in 2005, we have the latest carelessness to deal with. TJX, the parent company of TJ Max, Marshalls, and some others, have carelessly, and without regard for their obligation to their customers or the requirements of PCI-DSS, been quietly keeping credit card information since at least 2003 - and all the while some bad guys were gathering the data.
Within a week or two after the breach was announced in January, the reports of fraudulent transactions resulting from the breach starting coming in from all over the globe. This has, to my knowledge, never happened before. It certainly hasn’t been made public. And last week, 6 arrests were made and a couple more warrants were issued for individuals that were in possession of some of that data.
The best we’ve gotten so far is an short apology from Carol Meyrowitz, the President and Chief Executive Officer. In her defense, what more can she say? How about, “We screwed up - we ignored the regulations of the credit card industry by keeping this data and we didn’t worry about our customer’s information.”
In the letter, posted on their website at tjx.com Ms. Meyrowitz says, “I encourage you to access the information we are providing on this website to learn more about steps you can take to protect your credit and debit card information…” I’ve been all over the site and haven’t found any of this useful information, although it’s certainly gotten enough press coverage.
In their initial press release dated January 17th, posted here they say that “TJX has been able to specifically identify a limited number of credit card and debit card holders whose information was removed from its system…” This limited number has turned out to be, to date, 45.7 million. It’s the largest credit and debit card data breach in the history of the payment industry.
The law suits have already begun and the government is taking a long hard look at the regulations and who should be held financially liable. Personally, I hope they get everything they deserve, but from the look of their stock, it’s business as usual.
I’d like to be able to tell you that the information we provide at Preventing E-Commerce Chargebacks would protect you from every fraudulent order this travesty has caused, but I can’t. But I can tell you that it will go a long way to helping you prevent fraudulent orders on your E-Commerce website.
You know that if a smaller merchant had done this their ability to accept credit cards would be suspended and they would never be able to take another card ever.
But since it is one of the big boys, they will get a fine they can afford and most likely get a better discount rate than they had before because they are in compliance.
Jeffrey R. Collins
April 5th, 2007 at 9:27 pmNerdBoyInc.com