"Hacker in US payment card theft case pleads guilty" [Reuters]
(Photo: Brymo)

Chris says:

According to comments allegedly made by Howard Cox, a US Department of Justice official in a closed-door meeting last week, after being frustrated with the disk encryption employed by Yastremskiy, Turkish law enforcement may have resorted to physical violence to force the password out of the Ukrainian suspect.

Mr Cox's revelation came in the context of a joke made during his speech. While the exact words were not recorded, multiple sources have verified that Cox quipped about leaving a stubborn suspect alone with Turkish police for a week as a way to get them to voluntarily reveal their password. The specifics of the interrogation techniques were not revealed, but all four people I spoke to stated that it was clear that physical coercion was the implied method.

The Turkish interrogation seemed to have worked as Mr Cox was even able to share Yastremskiy's encryption password with the audience.

Eek.

Turkish police may have beaten encryption key out of TJ Maxx suspect [CNet]

Jeremy writes:

Just got a replacement card from Citi due to possible “compromise of information” but when I asked customer service who the merchant was who may have been compromised, she said she did not have that information, but that it came straight from Visa and Mastercard and that it happened in the last 6-8 months.

Trevor writes:

I logged onto my CitiCard professional account today and discovered an "important security messsage" that my account may be at risk due to a problem with a merchant's database. The CSR said someone had "hacked in" to a database. His manager said she didn't know which merchant was involved, and invoked the TJ Maxx case as an example. When I asked if this was of comparable size, she said it was, and the CitiBank was issuing new cards to people, and that mine should be in the mail already.

Update 09/19/08: We received another report this morning:

Just yesterday, I received a replacement card.

Logging onto their site, I got a message saying my card had been compromised. I decided to activate the new card, but pressed 5 for a consumer rep. This was not the ordinary rep with noise in the background. She had no "sell-up" scripts nor an ebullient demeanor.

She said my card had to be replaced due to a database compromise.

U.S. charges 11 in theft of TJX customer data [Forbes]

This is a post in our Worst Company In America 2008 series. The companies nominated for this honor were chosen by you, the readers. Keep track of all the goings on at consumerist.com/tag/worst-company-in-america/

STILL OPEN FOR VOTING: Mattel vs ATT, Capital One vs Video Professor, eBay/Paypal vs COX, Apple vs SallieMae, Diebold Vs Pfizer, MTV vs TransUnion
CompUSA vs DirecTV
Target vs Best Buy
Allstate vs Verizon,
DeBeers vs 1800 flowers, Starbucks vs United Airlines,
Exxon vs Crocs, Google Vs Sony, Ticketmaster vs Wachovia, Facebook vs The American Arbitration Association, Comcast vs Menu Foods

The funds will be used to help U.S. credit card issuers such as banks recover costs related to the breach, which may have exposed more than 100 million cards to potential fraud, TJX said.

The breach is believed to be the largest ever, based on the number of customer records involved.

Issuers of at least 80% of eligible cards must accept the offer by Dec. 19 for the settlement to take effect, said Framingham, Mass.-based TJX, owner of about 2,500 stores including T.J. Maxx and Marshalls.

Cross your fingers.

TJX will pay up to $40.9M for data breach [USAToday]

The most interesting conversation was between Stahl and a representative from the National Retail Federation, who placed the blame for lax store security on the credit card companies:

"Is there growing tension between the two sides now?" Stahl asks Dave Hogan, who handles computer technology at the National Retail Federation.

"Lesley, absolutely, there's growing tension between the two sides," he replies.

Hogan says credit card companies should change how they do business. "If we could just force Visa and MasterCard to not require retailers to store credit card data, this issue would disappear overnight," he argues.

Hogan says card companies force retailers to store customer data in case there are charge disputes. He thinks the card companies should hold the data, not the stores.

"Honestly, we can eliminate this problem within a few days," Hogan says.

"If it's that easy, why hasn't it been done?" Stahl asks.

"I'm not too sure how vested the credit companies are as far as securing customers' data," Hogan says.

"And you're saying that the credit card companies are the one's who are not security conscious?" Stahl asks.

"In my humble opinion, no," Hogan replies.

He accuses the card companies of using this issue as a way to make money. Visa, for example, has started fining large chains that do not have up-to-date security $25,000 a month.

"If you do the math on it, this could be a windfall of $200 million annually for the credit card companies as far as a revenue stream," Hogan says.

Visa chose not to respond.

The report also had some interesting emails from inside TJX, proving that they did, in fact, know that their wireless encryption was out-of-date and easy to crack. If you're the paranoid-about-credit-type you might want to avoid watching this report. Those who enjoy watching Lesley Stahl learn about WEP and WPA while driving around in a van with a lovable nerd should head on over. She's so cute!

Hi-Tech Heist [60 Minutes]

According to AirDefense, about 85% of the 2,500 wireless devices that it discovered in retail stores, such as laptops and barcode scanners, were vulnerable to wireless hacks. Out of the 4,748 access points that were monitored for the survey, about 550 had poorly named SSIDs that could give away the store's identity.

An analyst points out that AirDefense has a business interest in finding and pointing out security holes, but that doesn't make the findings imaginary. Even the analyst admits it's a real problem in retail today:

"Wireless security continues to be the major hole that allows criminals access to retailer systems," she said. "It's very difficult to lock it down" for retailers.

The new estimate is part of a lawsuit by the credit card companies against Fifth Third Bancorp and TJX (parent company of Marshalls and TJ Maxx, among others).

Visa says that their fraud related costs are in the neighborhood of $68 - $83 million, and will only go up as more thieves use the stolen data.

Damn.

TJX data breach may involve 94 million credit cards [USAToday]
(Photo:Getty)

So, it is primarily shoppers who returned goods without a receipt during the relevant period who qualify for that part of the settlement. That amounts to some 455,000 people, a mere 1% of the total number possibly affected. These people have already received a direct notification of the breach from TJX, and will also be entitled to other compensation if they experienced actual losses.

For everybody else who made a purchase at a TJX store by check, credit or debit card between certain dates, and who suffered more than a $5 loss as a result of the breach, you will be entitled to $30 to $60 in merchandise credit depending on the level of proof you have. Despite the large number of card numbers stolen, it appears that very few people actually became victims of id theft. That may best explain why most of the 45 million cardholders will not be entitled to compensation.

TJX Settlement: You'll Probably Get Nothing [Mouseprint]
(Photo:pierre lascott)

The announcement did not specify the settlement cost, but noted that its estimated costs were included in a $107 million reserve included in its second-quarter report for fiscal 2008 and its estimate of $21 million in costs expected in fiscal 2009. The $107 million figure includes costs from other lawsuits not included in the customer class actions, the Framingham-based company said.

The settlement also includes Cincinnati-based Fifth Third Bancorp, which processed some payment card transactions for TJX and was named in some of the customer lawsuits.

TJX said it denied the allegations in the customer lawsuits. It concluded that more legal action would be time-consuming and expensive.

"We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system," TJX President and CEO Carol Meyrowitz said in a statement.

TJX Settles Customer Class Action Suits [AP]
(Photo:Scorchamac)

The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn.

There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers and the store's computers. That helped them hack into the central database of Marshalls' parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about customers.

The $17.4-billion retailer's wireless network had less security than many people have on their home networks, and for 18 months the company — which also owns T.J. Maxx, Home Goods and A.J. Wright— had no idea what was going on.

The type of network George was looking for is called WEP, and it's not that difficult to crack. It's about the same level of security that most people have on their home networks. It's probably fine for your needs, but a corporation needs something, uh, more robust.

The following stores were mentioned by George as having the potential to be hacked. Naturally, he didn't try to break in because he's not an evil douchebag and he doesn't want to go to jail. So keep that in mind.

Lowes: I saw a combination of WPA and WEP coming from Lowes Home Improvement store. The problem is that almost all of the wireless clients were connected using WEP and actively transmitting data. Even if no one is using WEP but the WEP network exists and gets broken into, the hacker will come in via WEP and it doesn't matter if WPA is mostly being used

JCPenny:
JCPenny only used WEP on their network and it was actively being used by many wireless LAN clients. It does not look good at all.

Macy's:
Macy's only used WEP on their network and it was very active. I could see a lot of Cisco and Symbol clients connected to the access points. These clients may be the cash registers. Macy's does not look good.

Best Buy:
Best Buy was sort of an odd case. The first network I saw from them was labeled "BestBuy" for the SSID and it was in the clear with zero security. I walked in to ask them if they were offering free Wi-Fi access and the nice employ told me no. Then he wanted to be helpful so told me to go ahead and try to get on the network to get access and I had to hold my laughter back.

PetSmart pet store:
PetSmart only showed a WPA network. However, WEP and WEP40 compatibility was also detected so it isn't clear what the risk is without doing a penetration test which I can't legally do.

Office Depot:
Office Depot actually had a "Free Wi-Fi" sign with a two-page instruction sheet on how to get free Wi-Fi service in their store. I didn't see any customers using it but I found it strange that so many devices where actively using it.

Retailers haven't learned from TJX - still running WEP [ZDNet]
TJX's failure to secure Wi-Fi could cost $1B [ZDNet]
How Credit-Card Data Went Out Wireless Door [WSJ]
(Photo: pierre lascott)

"Slips of paper containing people's financial information should not be floating around," says J. Mark Moore, a lawyer at Spiro Moss Barness LLP in Los Angeles.

Among the targets are Rite Aid, Wendy's, FedEx, TJMaxx and IKEA.

Keep an eye on those receipts. Find one with more than 5 credit card digits on it and it could the equivalent of an unclaimed winning lottery ticket, if one were so inclined. — BEN POPKEN

Retailers Whose Slips Show Too Much Attract Lawsuits [WSJ via Consumer World Blog]
(Photo: Mikey aka DaSkinnyBlackMan)

The worm operated undetected for at least 18 months, capturing credit card numbers, then changing timelogs and moving data around to erase its tracks.

Initial speculation suggested that the thieves had access to the retailer's encryption key. Now it may be that the program captured data before it was encrypted.

If the latter, the ramifications are immense, as it means every single retailer's credit card processing system is at risk. — BEN POPKEN

TJX Intruder Had Retailer's Encryption Key [eWeek] (Thanks to Brandon!)

...Making it the largest robbery in the history of man.

It's time to start pressuring merchants to stop endlessly archiving our banking data. Why do they get to keep a copy of our credit cards forever? — BEN POPKEN

TJX breach involved 45.7m cards, company reports [Boston.com] (Thanks to KevinQ!)
(Photo: Sonny-)

From the AP:

"Losses experienced by Wal-Mart and the banks issuing the credit cards currently total more than $8 million in Florida and are still being calculated," a release from the department said.

Framingham, Mass.-based TJX discovered in mid-December that customer data had been stolen by computer hackers and used to make fraudulent debit card and credit card purchases, but did not inform the public of the breach until mid-January. TJX, parent of T.J. Maxx, Marshalls, HomeGoods and other chains, later said it took a month to make the breach public because it was trying to prevent further damage.

The company at first thought the intrusion began in May 2006 and ran into January, but later said it found the breach started nearly a year earlier, in July 2005.

Florida arrests linked to data theft from TJX systems [Boston Globe]
Stolen Data From T.J. Maxx Parent Company Surfaces In Florida Wal-Mart Fraud [Information Week]

PREVIOUSLY: TJ Maxx Security Breach Happened A Year Earlier Than Previously Reported
T.J. Maxx Credit Card Breach Probed By MA & RI AGs
(Photo: Jels)

"TJX Cos. said today that the unauthorized intrusion into its computer system occurred nearly a year earlier than it previously believed.

The Framingham operator of such offprice retail chains as T.J. Maxx and Marshalls offered additional details about a data breach it first disclosed last month.

TJX said today in a statement: "While the company previously believed that the intrusion took place only from May 2006 to January 2007, TJX now believes its computer systems was also intruded upon in July 2005 and on various subsequent dates in 2005. TJX continues to believe there was no compromise of customer data after-mid December 2006."

At this point it might be best to assume that your credit/debit card information has been stolen if you've ever shopped at TJ Maxx/Marshalls. They don't seem to have any idea what is going on. TJ Maxx has a toll-free line at 866-484-6978 for customers with questions about the situation.—MEGHANN MARCO

TJX: security breach happened earlier [Boston Globe] (Thanks, Kalun!)

PREVIOUSLY:TJ Maxx and Marshall's Hacked

Rhode Island Attorney General Patrick C. Lynch, pictured, filed a civil investigative demand against T.J. Maxx

"TJX owes its customers respect, not neglect," Lynch said. "By being negligent in its security procedures and by failing to employ immediate and aggressive methods to notify their many customers of the distinct possibility that their identities had been — or were at risk of being — stolen, TJX has displayed disregard for its customers."

Whoa, better watch out when Rhode Island, aka, "The Mafia State," investigates. They're probably just peeved they didn't get cut in on the action. — BEN POPKEN

AG Lynch initiates action against TJX regarding security breach of its computer systems [riag.ri.gov]

Previously: T.J. Maxx Gets Class Actioned For Credit Card Breach
TJ Maxx & Marshall's Hacked, Tons Of Credit Cards Stolen

Pier 1 Imports Inc. said on Tuesday it had received a temporary restraining order that would prevent TJX Cos. Inc. from filing a lawsuit against Pier 1's new President and Chief Executive Alex Smith....
On Monday, a Pier 1 spokesman said in a statement the company was trying to stop TJX from interfering with Smith's new employment agreement. Such threats were "improper," said spokesman Tom Thomas, because the two companies are not competitors.

The restraining order was necessary "to assure that Alex will be at his post next Monday to oversee the beginning of Pier 1's return to profitability," said Thomas.

Unfortunately, TJ Maxx didn't return calls for comment. They were too busy painting over Smith's parking spot and ripping up old prom photos. Happy Valentine's Day.—MEGHANN MARCO

UPDATE 1-Pier 1 says gets restraining order against TJX [Reuters]

Stern Shapiro Weissberg & Garin LLP, and another firm are suing for credit-monitoring services as well as any damages incurred.

Credit cards stolen in the breach have been used in Florida, Georgia, and Louisana, as well as Hong Kong and Sweden. Driver's license data was stolen as well.

Hundreds of thousands of credit cards have been reissued due to the theft.

If you shopped at TJ Maxx mid-May to December 2006, or at all in 2003, check your statements carefully and report if purchases seem amiss. — BEN POPKEN

Class action suit filed against TJX [Boston.com via Adfreak]

Previously: TJ Maxx & Marshall's Hacked, Tons Of Credit Cards Stolen

Based on the info released so far, all TJ Maxx and Marshall's transactions from mid-May to December 2006, as well as all of 2003, have been compromised.

If you shopped at TJ Maxx during these times, you're well advised to check your statements and report any suspicious activity.

TJ Maxx has a toll-free line at 866-484-6978 for customers with questions about the situation. — BEN POPKEN

Retailer TJX reports massive data breach [InfoWorld]

Holiday gift returns: Still nothing easy about it [Money] (Thanks to Octavia!)