TJX Data Breach Affected 94 Million Customers, Possibly the Largest Data Breach in History
Consumer Affairs reports on details emerging:
New information from a lawsuit against the TJX Corporation over its breach of customer information revealed that as many as 94 million Visa and Mastercard holders were exposed to hackers.
The new number was nearly double the initial estimate of 46 million affected customers that TJX reported in early 2007, when the breach was first revealed.
Visa officials estimated losses of $65 million to $83 million as a result of the breach, the largest and most exact number provided yet. The new information may officially mark the TJX affair as the biggest data breach in history.
The information came as part of a lawsuit filed by a coalition of banks against TJX, whom the banks hold responsible for not securing and protecting cardholders’ data as they performed transactions and made purchases.
The extent of the security lapse at TJX is staggering. eWeek reports on what has been uncovered thus far:
Citing new information about the TJX data breach, attorneys suing the clothing retail chain amended their complaints on Oct. 25 and want a jury to evaluate TJX’s security professionalism.
New details that emerged from documents filed in federal court Oct. 25 include:
# A TJX consultant found that not only was TJX not PCI-compliant, but it had failed to comply with nine of the 12 applicable PCI requirements. Many were “high-level deficiencies,” the consultant said.# “After locating the stored data on the TJX servers, the intruder used the TJX high-speed connection in Massachusetts to transfer this data to another site on the Internet” in California. More than “80 GBytes of stored data improperly retained by TJX were transferred in this manner. TJX did not detect this transfer.”
# In May 2006, a traffic capture/sniffer program was installed on the TJX network by the cyber-thieves, where it remained undetected for seven months, “capturing sensitive cardholder data as it was transmitted in the clear by TJX.”
# In 2004, before the attacks began, TJX was issued a report on its security compliance that “identified numerous serious deficiencies at TJX, including specific violations. TJX did not remedy many of these deficiencies.”
Read the rest of the article for more details and links to previous coverage of the TJX data breach.