As an apology to the millions of consumers who had their credit card info stolen, TJX (that’s T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright) is offering fifteen percent off all purchases in stores today only. We suggest that you pay with cash.
The Washington Post has reported that Heartland Payment Systems, a payment processor that services “more than 250,000 businesses,” has had more than 100 million transactions compromised via malicious software that was installed on its network; it will likely turn out to be the largest data breach ever reported. The “good” news is that the criminals were only capturing credit card numbers, the names on the cards, and expiration dates—the info encoded onto the magnetic strip on the card. Because no addresses, SSNs or PINs were stolen, the prospect of full-blown identity theft is pretty small—which must explain why Heartland isn’t offering any sort of credit monitoring package as compensation. Instead, their CFO says, “We recognize and feel badly about the inconvenience this is going to cause consumers.”
We’d hoped that Activision’s blunder would be the last one, but it turns out the HR department at Aflac can’t find the BCC field either. Reader Corey writes in to let us know he just received an email addressed to him and 623 other people who were interested in jobs with the insurance company. Our guess is some of the recipients won’t be so interested in a career with a company that doesn’t care about the privacy of its employees. After the jump, a quick guide to obscuring other recipients’ email addresses so this doesn’t happen again.
The FBI has announced that a former Countrywide employee and his accomplice were arrested on charges related to “illegal access of computers containing personal information,” and “illegal sale of the data.” A criminal complaint filed last Friday alleges that one of the men, Rene L. Rebollo Jr., a senior financial analyst for Countrywide Home Loan’s subprime mortgage division (who was let go in July), had been harvesting data from Countrywide’s computers for the past two years — downloading and storing the information on personal flash drives.
UPDATE: Adam has been in contact with the owners and has posted an update on his site.
Reader Bryan’s Wells Fargo credit/debit card stopped working unexpectedly one day while he was trying to gas up his car. He was confused because he had used the card the night before with no problems. He spoke to a Wells Fargo CSR at a local branch and discovered that the data for 125,000 cards, including his, was “compromised” thus deactivating his card. This had already happened to him once before within the last year and he was not pleased. His letter, inside…
LendingTree announced today that several former employees are suspected of sharing passwords with lenders that were not approved by LendingTree, and that this may have exposed customer data including: name, address, e-mail address, phone number, Social Security number, income and employment information.
After hearing about Hannaford’s giant customer data breach yesterday, Brian decided to cancel the debit card he’d used there. That’s when he found out that Key Bank really wants you to have a debit card. In fact, they’ll charge you a small monthly fee to not have one linked to your “free checking” account. We figure that this means Key Bank makes about $12 a year more off of customers who have linked debit cards—and that if you want greater security on your account, it’s going to cost you.
CSO has produced an interactive U.S. map that shows what’s required of companies that suffer a data breach in the 38 states that care enough about consumer rights to have passed disclosure laws. Most are modeled after California’s strict SB1386 anti-ID theft law, but now you can tell at a glance what your state is doing about the issue—and in most cases you can click on the icon in the pop-up info box to see a copy of the actual law.
Look, Wisconsin. We weren’t kidding around last time. We really did mean it when we said that it wasn’t cool to print people’s Social Security Numbers where anyone can see them. How can people who are smart enough to sell sausage shaped like beer (above) not able to figure out that the SSN is a secret?
If you bought anything from Geeks.com in at least the last year or so, you might want to start paying close attention to your credit card statements—the company sent out an email on Friday telling former customers that they “recently discovered on December 5, 2007 that customer information, including Visa credit card information, may have been compromised.” Full email after the jump.
TJX will be paying as much as 40.9 million in a settlement with Visa and the bank that processes their credit card payments , says the Associated Press.
The funds will be used to help U.S. credit card issuers such as banks recover costs related to the breach, which may have exposed more than 100 million cards to potential fraud, TJX said.
Last Sunday’s 60 minutes had a report by Lesley Stahl about the now-infamous TJX data breach.
According to new court papers, Visa and Mastercard are saying that the TJ Maxx security breach actually affected 94 million accounts—more than double the amount that TJ Maxx reported.
Mouseprint.org has read the fine print and they say you’re probably out of luck when it comes to the TJ Maxx Settlement:
So, it is primarily shoppers who returned goods without a receipt during the relevant period who qualify for that part of the settlement. That amounts to some 455,000 people, a mere 1% of the total number possibly affected. These people have already received a direct notification of the breach from TJX, and will also be entitled to other compensation if they experienced actual losses.
Ameritrade has known about the problem at least since late May when two of its customers sued the brokerage in federal court because they were receiving unwanted e-mail ads on accounts used only for Ameritrade.
The report claims that it has “no recommendations,” but the language of the report suggests otherwise. Consumer advocates are taking issue with the GAO’s “not-a-recommendation” of a risk-assessment plan, in part because they believe that every consumer who has been the victim of a data breach should know about it, and also because the connection between data breaches and ID theft is difficult to assess, thus making it somewhat unbelievable that an accurate and useful risk-assessment program could be created.
Fidelity National Information Services, a financial processing company, announced today that one of its employees had stolen 2.3 million customer records containing credit card, bank account and other personal information, and sold that information to an unidentified “data broker” who then sold the information to various direct marketing companies.