Sunday, April 01, 2007

I probably wouldn't spend nearly as much time on TJX if they were a little more forthcoming. It seems there is always one more question...

http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_shows_that_encryption_can_be_foiled/

TJX breach shows that encryption can be foiled

By Ross Kerber, Globe Staff | March 31, 2007

Encryption alone is no panacea for threats to consumer data, according to specialists who say the technology's limit can be seen in the problems reported by TJX Cos. of Framingham.

... recent details to emerge on how hackers accessed the parent of stores including T.J. Maxx and Marshalls show how encryption can be defeated by clever thieves -- and suggest the breach may have been an inside job.

... The filing also discloses for the first time that the company now faces a multistate investigation by the attorneys general of roughly 30 states, led by Massachusetts Attorney General Martha Coakley, who has previously said she would press the company for more details on the matter.

The filing states that this month Coakley's office sent TJX a demand for documents concerning the break-in "as part of that office's review of allegations that the company may have violated state law regarding consumer protections and related matters."


What does this suggest? Do we have a deal to rat out the hacker? Can we conclude these aren't the hackers?

http://www.jaxnewsonline.com/article/2007-03-30/6463.php

3 of 6 charged in TJX scheme plead guilty

JACKSONVILLE, Fla., March 30 (UPI) -- Three of the six people charged with stealing credit card data from TJX Cos. have pleaded guilty, Florida law-enforcement officials said Friday.

Suspected ringleader Irving Jose Escobar, 18, pleaded guilty in Florida Criminal Court in Jacksonville to one count of first-degree organized scheme to defraud over $50,000, officials said. He faces up to 30 years in prison.

... Sentencing for all three is set for May 31, ABC News reported. [Perhaps that will tell us... Bob]


Am I picking too many nits here? (In the UK, TJ Maxx is spelled differently...)

http://www.channel4.com/news/articles/uk/tk+maxx+chiefs+regret+over+fraud/366277

TK Maxx chief's regret over fraud

Last Modified: 31 Mar 2007 Source: PA News

The president of bargain chain TK Maxx has expressed his personal regret at his company's involvement in the world's biggest ever credit card heist.

Paul Sweetenham posted a letter to customers after it was revealed that hackers stole at least 45.7 million credit and debit card numbers from the US and UK-based computer systems of the American retailer that owns the chain.

The Information Commissioner's Office (ICO), the UK privacy watchdog, is in contact with the company and authorities in the US and Canada after it was revealed that information held in Watford, Hertfordshire, was involved.

[The UK web site is at: http://www.tkmaxx.com/index.asp

Note: Some of this may be lost in translation from the English, but I find it strange that the Head of TJX – Europe:

  • regrets, “any concerns you may have” rather than anything TJX did or failed to do.

  • States that “we suspected that information from credit and debit card transactions at T.K. Maxx had been stolen in the intrusion at our parent company in the U.S. I regret to report that we have just confirmed our suspicions.” Then says the facts are: “No T.K. Maxx data was included in the data that we believe was stolen...”

  • Thus, I'm concerned that when he claims: “Personal identification numbers (PINs) were not compromised in the intrusion at T.K. Maxx.” -- perhaps they were taken from the TJ Maxx “intrusion?

  • And when he says: “We believe customers should feel safe shopping at T.K. Maxx.” I wonder why he couldn't say they ARE safe.

Here's my biggest concern... Am I beginning to sound like a lawyer? Bob]


No doubt you can trust these guys to sell you exactly what they advertise...

http://business.timesonline.co.uk/tol/business/industry_sectors/retailing/article1595836.ece

Organised crime link in TK Maxx scam

From The Sunday Times April 1, 2007

CREDIT-CARD numbers stolen from TK Maxx, the retailer, have been offered for sale on websites used by organised crime, it was alleged this weekend, writes Paul Durman.

Rob Cotton, chief executive of NCC Group, an information-security specialist, said: “A lot of TK Maxx card records have been sold on these sites.”

He named four sites that act as “an eBay for hackers”, allowing criminals to buy and sell stolen card details.

The four are: cardersmarket.com, cardingworld.cc, forum. scandinaviancarding.com and darkmarket.ws.

Cotton said the US Federal Bureau of Investigation, and other authorities, were constantly trying to shut down such sites, which are often hosted in legally “difficult” countries such as Russia, China or Indonesia.

... Cotton said that similar thefts often went undisclosed. “Security is regularly breached,” he said, “and organised crime is behind it.”



What your privacy is worth in New York...

http://www.insurancejournal.com/news/east/2007/03/30/78268.htm

N.Y. Insurer to Pay Customers for Unlawful Access to Credit Reports

March 30, 2007

New York Attorney General Andrew M. Cuomo has negotiated a settlement affecting nearly 400 New York consumers whose credit reports were unlawfully accessed by an insurance company.

Under the settlement, Administrators for the Professions, Inc. (AFP), a New York insurance company, is paying $229,600 in compensation to those consumers.

According to Cuomo, between November 2000 and March 2006, AFP obtained more than 800 consumer credit reports on approximately 400 different individuals from the credit reporting agencies Equifax and TransUnion. An overwhelming majority of the consumers' credit reports were acquired for purposes not permitted by the federal and state Fair Credit Reporting Acts.

Headquartered in Manhasset, N.Y., AFP is the management company, conducting all day-to-day operations for Physicians' Reciprocal Insurers (PRI), a medical malpractice writer.

Credit reports may be legally obtained by agents such as potential credit grantors, employers, or insurers, or with a consumer's permission. AFP, however, illegally provided credit reports for use as investigative tools in civil litigation, for use in connection with insurance claims, and for satisfying requesters' personal curiosity, according to officials.

Officials said credit reports were also unlawfully attained for investigators trying to locate parties in matrimonial and other personal matters, and for individuals looking to acquire information about an estranged spouse.

... As a result of AFP's unlawful acquisition of consumers' credit reports, the credit files of those consumers inappropriately reflected that a credit "inquiry" had been made. The inclusion of such an inquiry in the credit files of these consumers could adversely affect their credit score or result in other negative consequences.

Under the settlement with the attorney general, AFP agreed not to acquire a consumer credit report unless it is for a permissible purpose as set forth in federal and state law. AFP agreed to pay $229,600 in compensation for consumers whose credit reports were illegally accessed; those consumers whose credit reports were obtained on one occasion will receive $600, while consumers whose credit reports were accessed on two separate occasions will receive $1,000. AFP will also pay the State of New York $85,000 for penalties and $15,000 for costs related to the investigation.

In addition, AFP will provide the list of all affected consumers to Equifax and TransUnion, and direct those credit reporting agencies to delete all references to the illegal inquiries from each consumer=s credit file.

Source: New York Attorney General's www.oag.state.ny.us



When high school kids are better than drug company chemists, we MIGHT have a problem... Is $200K enough? Shouldn't they be required to refund all purchases, give up all profits, and spend as many ad dollars explaining what they did wrong?

http://science.slashdot.org/article.pl?sid=07/03/31/150244&from=rss

Science Fair Project Exposes GlaxoSmithKline Lies

Posted by CowboyNeal on Saturday March 31, @12:49PM from the fact-checking-advertisements dept. Education Science

shadowspar writes "Despite claims made by GlaxoSmithKline that their Ribena soft drinks are high in Vitamin C, two New Zealand high school students found in their science fair research project that at least some formulations of the drink contained no detectable levels of the vitamin. As a result, GSK has been fined over $200,000 by the NZ Commerce Commission and ordered to run newspaper ads admitting that some of their drinks contain no Vitamin C."

No comments: