Christopher Soghoian over at Cnet is reporting that Turkish police may have used violence to get the encryption keys of one of primary ringleaders in the TJ Maxx credit card theft investigation. The suspect, Maksym Yastremskiy, is apparently a “major figure in the international sale of stolen credit card information.”
The world’s greatest bank thief is in custody. For ripping off over 45.7 million consumer’s credit cards from TJ Maxx, and other retailers, authorities pressed charges on Miami mastermind Albert Gonzalez and 11 others. The stolen numbers were sold to other scammers who manufactured fake debit cards and drained their victims’ accounts. The breach stemmed mainly from TJ Maxx stores using an unsecured wireless router.
Remember TJX’s gigantic security breach problems last year, where data on 94 million accounts was stolen? Good for you, because apparently TJX doesn’t. A former employee of a TJX store in Lawrence, Kansas was fired recently for posting anonymous complaints online about the current sorry state of his store’s security, which included the store manager writing server login and password information on a sticky note, and the store resetting employee passwords to blank fields.
Last December, Theodore Karantsalis received a letter from Sprint, where he was a customer, telling him that someone who banks with Wells-Fargo—where he’s not a customer—was presented with his invoice and personal data when they logged into their Wells-Fargo Checkfree account. The customer contacted Sprint, and Sprint contacted Karantsalis. Karantsalis decided that he’d deal with the issue on his own instead of bringing a lawyer into it or throwing his hands up in frustration, so he took both companies to small claims court.
On paper, the merger between Kmart and Sears looked almost fool-proof. Investors were confident that hedge fund manager Eddie Lampert had the midas touch, and that Sears’ real estate holdings were worth more than $150 on their own. Sears’ well-regarded brands would be paired with Kmart’s convenient locations—and everyone would make tons of money.
Netflix has removed the monthly limits on all but its lowest-cost plan in an apparent attempt to position itself more competitively against Apple, which is expected to announce a downloadable movie rental service tomorrow. Now for as little as $8.99 per month you can watch as many movies on your PC as you can download.
TJX will be paying as much as 40.9 million in a settlement with Visa and the bank that processes their credit card payments , says the Associated Press.
The funds will be used to help U.S. credit card issuers such as banks recover costs related to the breach, which may have exposed more than 100 million cards to potential fraud, TJX said.
Last Sunday’s 60 minutes had a report by Lesley Stahl about the now-infamous TJX data breach.
When TJX revealed earlier this year that they’d failed to keep safe over 45 million customer credit card accounts, they were hit with both consumer and bank class action lawsuits. Now they’ve submitted a proposed settlement for the consumer class action suit that includes a strange, somewhat insulting offer: a “one-day sale” for victims of the theft. Attorneys general from eight states have filed an objection against the proposal, citing that even if it’s a well-intentioned goodwill gesture, it doesn’t belong as part of any official, legal settlement, which should be designed to benefit the victims rather than the retailer.
According to new court papers, Visa and Mastercard are saying that the TJ Maxx security breach actually affected 94 million accounts—more than double the amount that TJ Maxx reported.
Mouseprint.org has read the fine print and they say you’re probably out of luck when it comes to the TJ Maxx Settlement:
So, it is primarily shoppers who returned goods without a receipt during the relevant period who qualify for that part of the settlement. That amounts to some 455,000 people, a mere 1% of the total number possibly affected. These people have already received a direct notification of the breach from TJX, and will also be entitled to other compensation if they experienced actual losses.
The announcement did not specify the settlement cost, but noted that its estimated costs were included in a $107 million reserve included in its second-quarter report for fiscal 2008 and its estimate of $21 million in costs expected in fiscal 2009. The $107 million figure includes costs from other lawsuits not included in the customer class actions, the Framingham-based company said.
The infamous TJ Maxx data breach cut parent company TJX’s profits by more than half. The total bill for the breach? $256 million. [Boston Globe]
The Wall Street Journal is reporting that the most likely scenario for how the hackers stole an estimated 200 million card numbers is as simple as a person with a laptop breaking into the wifi network of a store:
The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.
TJX, the parent company of TJ Maxx and Marshall’s, is facing a class action lawsuit from the 45 million customers whose credit card data they lost; now, bankers associations representing 300 banks in Maine, Connecticut and Massachusetts have decided to file a class action suit of their own. From InfoWorld:
Banks — especially in states like Massachusetts — were also hard hit. Why? Because under current federal law, its banks, not merchants, who have to pay to make customers whole again: forgiving fraudulent purchases on credit and debit cards and, of course, cancelling compromised cards and bank accounts, then issuing new ones to their customers. Needless to say, that’s an expensive process, especially when you’ve got to repeat it 45 million times, as banks across the country will have to do in the wake of TJX. Not surprise, then, that banks aren’t taking this sitting down.
Banks are in the process of notifying consumers, some who did not think they were affected, that they will soon receive new debit and credit cards in the mail. — CAREY GREENBERG-BERGER
• Amazon: Factory-Reconditioned DEWALT DW988K-2R 18-Volt XRP 1/2-Inch drill/driver/hammerdrill kit for $129.99 with free shipping (down from $522)
TJMaxx computer system intruders who stole 45.7 million credit cards siphoned off customer data using a program they implanted on the company’s servers, recent regulatory filings reveal.