11 Arrested in the TJX Identity Theft and Data Breach Case
The FBI has arrested 11 people in the case of the largest identity theft and data breach in history that targeted TJX and other companies. The suspects of which three are US citizens are believed to have taken part in the theft of over 40 million credit and debit card accounts from 9 major retailers and restaurants. Stealing that much data was possible after installing malicious software on the systems of TJX Companies, BJ’s Wholesale Club, OfficeMax, Barnes & Noble, Sports Authority, Forever 21, DSW, Dave & Busters and Boston Market.
Never surpassed in the time it has passed has been covered constantly by the media. The Reigster tells the story of the breach in a recent article: in the beginning of 2007, TJX first reported the a breach by unknown idividuals who had at the time stolen 46.5 million credit cards, number later proved to be twice as high. According to the Register, the fraud have been going on for quite a while when TJX reported it, as a year earlier industry watchers had noticed an unusual increse in debit card fraud at retailers OfficeMax and Sam’s Club.
US Attorney of Massachussets and the US Attorney General had both commented on the issue:
“While technology has made our lives much easier it has also created new vulnerabilities,” Michael J. Sullivan, US Attorney for the District of Massachusetts, said in a statement announcing the indictments. “This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results.”
“They used sophisticated computer hacking techniques, breaching security systems and installing programs that gathered enormous quantities of personal financial data, which they then allegedly sold to others or used themselves,” US Attorney General Michael Mukasey said in prepared remarks. “And in total, they caused widespread losses by banks, retailers, and consumers.”
Other than having a sophisticated and high end technique of stealing the information, the ring of thieves also had multiple way to turn the theft into profit, either by selling the data to other criminals or by using it to create fake cards and withdraw thousands of dollars at a time.
The eleven arrested individuals are from the United States, Estonia, Ukraine, the People’s Republic of China and Belarus. The FBI is still in pursuit of another member of the group who is only known by his online alias and continues to elude authorities. Let’s hope he’s caught soon enough!
Banks Prefered by Fraudsters in 2008
It looks like fraudsters have a thing for banks and have been showing this affinity in the first six months of the year. This is the conclusion of the latest Fraud Barometer released KPMG Forensic’s.
According to the barometers quoted by CRN UK, fraud has increased by 50 percent, generating 630 million pounds for fraudsters. Banks toped in losses, reporting a record amount of 350 million, with 128 fraud cases coming to court. The most frequent types of fraud were mortgage fraud, and accounting and employee frauds.
KPMG also released dark predictions for the future, stating that the figures they released are most likely to get worse, one of the causes being the full impact of the credit crunch.
Public Access vs. Private Records Protection
The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.
Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.
“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.
We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions :).
UK SMEs Warned To Improve Security
The Economic and Social Research Council (ESRC) warned that small and medium sized enterprises (SMEs) are most likely to fail at effectively securing their data, which could subsequently lead to compromising a large portion of the UK economy.
Based on figures provided by the Department for Business, Enterprise and Regulatory Reform and quoted by Computing.co.uk, SMEs make up 51.9 per cent of annual turnover in the UK and over 99.3 per cent of businesses of existing businesses.
Meanwhile reported fraud cost UK businesses over £705m in the last six months, 74 per cent up on the same period last year and hitting £317m in April 2008 alone, says research from accountant BDO Stoy Hayward.
Banks and insurance firms saw suffered costs of more than £636m, or 90 per cent of the total cost of fraud in the first half of 2008 and management fraud accounts for 46 per cent of fraud cases, third party fraud accounts for 32 per cent, costing businesses a total of £541m.
Stockbrokers Get Fine for Poor Security
The Financial Services Authority (FSA) has recently fined a firm of stockbrokers for failing to adequately protect their customers from the risk of identity fraud. FSA, quoted by the Register, said the company’s poor security included failing to manage, among others, the risks posed by staff using instant messaging and web-based email.
London-based Merchant Securities Group Limited also failed to verify the identities of customers contacting the firm by telephone. They instead relied on being able to recognize customers’ voices and informally asking them about personal matters such as holidays or hobbies. The firm also had the habit of including private account numbers in routine letters which could then lead to fraud or identity theft.
The FSA also found that back-up tapes containing unencrypted customer information were stored overnight in a bag at the home of a member of staff.
The London-based firm also failed to implement adequate controls “to mitigate the risk of customers’ personal data being transmitted outside the firm by failing to prevent the use of instant messaging and web-based email,” according to the penalty notice (pdf) served by the FSA.
HMRC Breach Caused By Poor Security
A formal inquiry on the now notorious security breach reported last October at HM Revenue & Customs (HMRC) has recently been published. The breach exposed 25 million personal records and has been proved to be caused by “major institutional deficiencies”, reports SearchSecurity UK.
The inquiry extensively details the operation procedures implemented at HMRC before the data breach. It also describes the circumstanced that have led to the loss of two CDs holidng personal and financial information on Child Benefit recipients.
The inquiry, led by Kieran Poynter of management consultants Pricewaterhousecoopers (PwC), concluded that “information security simply wasn’t a management priority as it should have been, and HMRC had an organizational design which was unnecessarily complex and crucially, did not clearly focus on management accountability.”
The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.
DPS-contracted Company Breached
Private records of 826 state employees were recently stolen from a home office from Wichita Falls, Texas. An employee of L-1 Identity Solution was keeping the information in a lockbox, pending to do fingerprinting, as agreed with the Department of Public Safety.
All the affected individuals are being notified by mail that their names, home addresses, dates of birth, driver’s license and Social Security numbers are missing and they are exposed to identity theft and fraud. According to KXAN.com, about 100 of those affected work for the State Board of Education. The incident comes less than a year after the Texas Legislature mandated that all education employees submit their fingerprints for criminal background checks.
Montgomery Ward Kept Customers in the Dark on Data Theft
In a security breach not yet reported to its customers, Montgomery Ward, an old-line merchant now operating as an internet retailer had 51,000 credit card numbers stolen. The private records have been stolen in December from an online database containing credit card account information.
According to SC Magazine, the furniture retailer operates on the internet on the Wards.com site and is actually owned b Direct Marketing Services.
Direct Marketing Services notified the major credit card brands of the incident but failed to alert customers. Now that the breach has been exposed, they’ve had a change of hart and are planning on letting all those affected know of the breach.
New PCI Standards Disregard Inside Threats
Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.
As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.
Secerno representatives showed that the new and “improved” standard does not address real threats effectively:
“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.
“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”
Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.
Anti-Fraud Collaborative Service Launches in the US
Ethoca, a European service where member businesses share intelligence about fraudulent transactions and other unauthorized online activity they come across, is now operating in the US. The expansion took place quietly, Ethoca representatives deciding not to create much hype about entering a new market.
According to DarkReading, Ethoca already has offices in Dublin, Ireland, and Toronto, Canada. It is a community-based collaborative service for online businesses in retail, gaming, airline, payment processing, prepaid card providers, travel and leisure, and dating services. Ethoca’s biggest customers are powerful names such as thee Royal Bank of Scotland while former U.S. Secretary of Homeland Security Tom Ridge is a member of its board of directors.
Member companies submit their transaction data to Ethoca, which acts as a clearinghouse and fraud assessment hub for all members — they basically get to vet a suspicious online order (address, phone number, credit card, IP address, and buyer name) with the experience of other members. “It’s like how a credit bureau works,” says Andre Edelbrock, Ethoca’s president and CEO, who calls the firm a fraud management services provider.
