TJX Companies Inc. January 17, 2008 (Computerworld) Last year, the TJX Companies Inc. disclosed what has turned out to be the largest information security breach involving credit and debit card data -- thus far, at least.
The data compromise at the Framingham, Mass.-based retailer began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX's payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data.
TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. Even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information from 94 million cards was exposed during the serial intrusions.
The sheer size of the data theft puts TJX in a league of its own among companies hit by such incidents, and the breach has made it something of a poster child for sloppy data security practices among retailers. In addition, the breach highlighted several familiar issues and some not-so-familiar ones.
TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about $250 million in breach-related costs. That includes the costs associated with fixing the security flaws that led to the breach, as well as dealing with all of the claims, lawsuits and fines that followed the breach.
Georgia Department of Community Health, Atlanta GA-
Reported April 10, 2007. Affiliated Computer Services (ACS) loses a computer disk with the personal information of 2,900,000 health care claimants for the State of Georgia. This compromise occurred as the result of a lost computer disk and isn't the first breach suffered at the hands of ACS. The Department of Education Data Breach occurred as the result of an error in code written by ACS. In this instance ACS has the contract to handle health care claims for the state and a computer disk containing the names, birth dates and Social Security numbers Medicaid and children's health care recipients went missing.
Georgia Secretary of State, Atlanta GA-
Reported April 12, 2007. Approximately 75,000 voter's of Fulton County Georgia had their personal information compromises as their voter registration cards were found thrown in the trash. The information contained in the registration cards were their names, addresses and Social Security numbers.
Bank of America, Commerce, Wachovia,
PNC Customer Info–
(CBS/AP, May, 2005) Financial records of nearly 700,000 customers who used four major banks may have been stolen by bank employees and sold to collection agencies, officials said Monday.
According to the U.S. Department of the Treasury, the crime is believed to be the largest breach of banking security in the U.S.
The bank employees accessed records for customers of Commerce Bank of Cherry Hill, N.J., PNC Bank of Pittsburgh, and Charlotte-based banks Wachovia and Bank of America, according to Ken Zisa, police chief in Hackensack, N.J., where the investigation was centered.
More than 100,000 customers of Wachovia Corp. and Bank of America Corp. have been notified of the problem. So far, Bank of America has alerted about 60,000 customers whose names were included on computer disks discovered by police.
