TJX Companies Inc. may have stored more customer data than
necessary, putting possibly millions of
customers at risk for ID theft, according to some in the
banking industry.
 | | | | | You expect a company to protect
its customers' data and it's disconcerting when you discover that's
not happening.
Rennee Schwartz,
ID theft victimDavenport, Iowa |
| | | | | |
| |
|
Meanwhile, one ID theft victim said TJX customers should take an
important lesson from this latest data breach: Companies can't
always be trusted to protect data, so customers must do a better
job tracking the whereabouts of their own information.
"You need to know where your information is going and what steps
a company is doing to protect that data," said Rennee Schwartz, a
Davenport, Iowa, resident whose credit card information was stolen
two years ago. "You have to be more cautious, more astute when
reviewing credit card statements. Stay on top of your information
and don't wait until it's too late."
Framingham, Mass.-based TJX acknowledged Wednesday that an
attacker
exploited a flaw in a portion of its computer network that
handles credit card, debit card, check, and merchandise return
transactions for customers of its T.J. Maxx, Marshalls, HomeGoods
and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners
and HomeSense stores in Canada. The intrusion may involve customers
of its T.K. Maxx stores in the U.K. and Ireland and could also
extend to TJX's Bob's Stores in the U.S., the company said.
The discovery was made in December, but the retailer said
investigators asked to delay an immediate announcement of the
breach during the initial part of the investigation.
Following the TJX announcement, banking officials expressed
concern about the scope of the data breach. The Massachusetts
Bankers Association, for example, told The Boston Globe that
credit-card companies informed 28 of its member banks that some
cardholders may have been affected by the breach, and that the
number will probably grow.
Daniel J. Forte, president of the banking trade group, suggested
that TJX might have been holding onto customer data that shouldn't
have been kept around. He noted that under credit-card network
rules, retailers aren't supposed to store information after they
confirm a person's identity and account balance. "After the
transaction clears, there is no reason to store any data," he told
the Globe.
Forte did not immediately respond to a phone request for
additional comment, nor did TJX spokeswoman Sherry Lang.
ID theft victim speaks out
While Schwartz's case wasn't tied to a company data breach like the
one TJK suffered, she was still unsettled by the news and
sympathizes with those whose credit card data might have been
compromised.
"You use credit cards online because it's convenient, and then
you discover it's not so convenient," she said. "You expect a
company to protect its customers' data and it's disconcerting when
you discover that's not happening. We're also dealing with a new
caliber of thief that steals online."
Schwartz and her husband learned their information had been
compromised when one of their credit card providers reported
suspicious purchases being made on the Internet with her card
number.
"Someone got hold of the credit card number and spent a little
over $1,000 on computer items -- routers, broadband and membership
subscriptions for online computer publications and services," she
said.
While she doesn't know for certain how her data was compromised,
Schwartz is pretty confident the problem was tied to the
Xbox Live program
her son was using via her home computer.
"To play programs on Xbox live, our firewall had to be turned
off, so we were wide open," she said. "I knew the firewall had to
come down and didn't like it. My son was supposed to put it back up
after using the program but must have forgotten at some point. In
hindsight, though, the damage may have been done while he was using
the program."
She believes someone exploited that weakness and accessed the
credit card number used specifically for the Xbox Live program,
which was stored online.
"The person who did this wasn't very sophisticated," she said.
"They were out for some hit-and-miss items, the goal being to buy a
few things."
The incident left her feeling vulnerable and less trusting of
online commerce. She also suffered with the hassle of getting
another credit card and notifying companies who took payments from
the old credit card once a month.
Lessons learned
After cleaning up the mess, Schwartz took steps to ensure she
wouldn't be victimized again. For starters, the Xbox program is no
longer used on the computer where she keeps personal data. She also
changes her password more frequently now, and will only use one
credit card for online transactions instead of the two she used to
use. She also checks her online credit card statements more
doggedly to make sure there are no suspicious charges.
She decided to tell her story so that others might take steps to
protect themselves after sharing her experience with a friend who
works for the Fraud Resource
Group.
The Fraud Resource Group investigates and works to prevent
online fraud. One of the weapons it tries to direct people toward
is a product from Edison, N.J.-based security vendor StrikeForce
Technologies Inc. called GuardedID, which is designed to encrypt
data so it can't be harvested by keyloggers.
While such tools could go along way in protecting people from ID
theft, Schwartz said it's most important to pay attention to what
companies are doing with their customer's data.
"People think this can't happen to them. But it can happen to
anyone," she said.