Parent company TJX may have violated Visa security rules by storing credit-card data
Fallout from a hacker attack on the IT systems of TJX, whose properties include T.J. Maxx, Marshalls, and HomeGoods retail stores, intensified last week, as credit card fraud related to the incident was reported in several states and outside the United States, and as lawsuits were launched against the company, including a consumer class-action suit.
The attack, which was reported two weeks ago, is taking a financial toll on TJX. The company said last week it will record a fourth-quarter charge of 1 cent per share, or about $4.5 million, related to the hack, including the costs to investigate and contain the intrusion, enhance computer security, and communicate with customers. Things are likely to get worse, as a number of documents sent by Visa to financial institutions that issue cards and manage Visa transactions indicate TJX was storing credit and debit card data in violation of the Payment Card Industry Data Security Standard created by Visa and MasterCard.
Merchants like TJX aren't supposed to store cardholder data because a thief can use that information to create a counterfeit credit or debit card. "I can see storing data for a few hours or a day until transactions clear, but some of the stolen data goes back to 2003," says an executive at a California credit union that issues Visa cards and has been stung by the TJX hack. "That's a long time to be out of compliance."
TJX was storing customer information that's recorded on Track 2 of a Visa card's magnetic stripe, which generally includes the account number, the expiration date, and the card verification value, a three- or four-digit code that's used to verify the card's authenticity. That data is enough for crooks to make fake cards and run up charges. Track 1 is where alphanumeric data, including the cardholder's name and address, is recorded; apparently TJX wasn't storing that data.
Hence, chairman and founder Ben Cammarata's assertion, in a video on the company's Web site, that customer names and personal identification numbers weren't compromised. "It would be unlikely for cyberthieves to commit identity fraud using the information taken," Cammarata said. As a result, TJX has no plans to offer credit monitoring services for its customers. "Credit monitoring does not detect fraudulent charges on your credit and debit accounts," he said.
SIN OF OMISSION
TJX didn't respond to requests for interviews. But one analyst says it's unlikely that TJX was intentionally storing the data. "It's usually a problem with the legacy systems these companies are using," says Gartner research director Avivah Litan. "These systems were put in place years ago when there was no thought given to cyberattacks. No one would ever program a system like that today."
More than 60 banks in Massachusetts have reported compromises of customer accounts as a result of the security breach, and that figure is expected to grow, according to the Massachusetts Bankers Asso- ciation. Despite the fact that TJX says the hack occurred in December, the California credit union executive started see- ing an increase in counterfeit cards used to commit fraudulent transactions before then. And, according to a Jan. 23 e-mail distributed to financial institutions by Visa's director of fraud control, there's been an increase in fraud activity on certain TJX accounts since mid-November, particularly in California, Florida, Illinois, New York, and Texas.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.