TJX Data Breach -- 45 Million Cardholder Accounts -- Thieves Had Encryption Key

In the past few days, newspapers, TV and the internet have all been saturated with news about the TJX data breach. Most reports state that information about 45.7 million credit and debit cards was stolen. According to the Washington Post, approximately 75% of the cards had expired by the time of the theft or the data stolen did not include security information. In September 2003, TJX started "masking" much of the sensitive data, meaning that it was partially or completely overwritten with asterisks. In other words, card account numbers would have been stored as "**** **** **** 1234."

This information follows on reports earlier this week of the arrest of a number of people in Florida who were caught buying gift cards at Wal-Mart using stolen TJX card data and then using those gift cards at Sam's Club stores (an affiliate of Wal-Mart) to purchase electronics and jewelry. Police estimate the scam netted $8 million. These bad guys are not suspected of the TJX data theft but rather are thought to have obtained the stolen card numbers from the data thieves. They created new credit cards reflecting the stolen account numbers which they then used to buy gift cards at a number of Wal-Marts across Florida.

The information for most of the news reports comes from a 10-K report which TJX filed with the Securities and Exchange Commission on March 28, 2007. The most ominous, and to my knowledge, so far unreported factoid in the filing is this:

Further, we believe that the Intruder had access to the decryption tool for the encryption software utilized by TJX.

The 10-K also states that one reason TJX has had difficulty determining what data was stolen because many of the files in question have been deleted in the normal course of business.

TJX's filing lays out the time line for the discovery and reporting of the intrusion.

On December 18, 2006, we learned of suspicious software on our computer systems. We immediately initiated an investigation, and the next day, General Dynamics Corporation and International Business Machines Corporation, leading computer security and incident response firms, were engaged to assist in the investigation. They determined on December 21, 2006 that there was strong reason to believe that our computer systems had been intruded upon and that an Intruder remained on our computer systems. With the assistance of our investigation team, we immediately began to design and implement a plan to monitor and contain the ongoing Computer Intrusion, protect customer data and strengthen the security of our computer systems against the ongoing Computer Intrusion and possible future attacks.

On December 22, 2006, we notified law enforcement officials of the suspected Computer Intrusion and later that day met with representatives of the U.S. Department of Justice, U.S. Secret Service and U.S. Attorney, Boston Office to brief them. At that meeting, the U.S. Secret Service advised us that disclosure of the suspected Computer Intrusion might impede their criminal investigation and requested that we maintain the confidentiality of the suspected Computer Intrusion until law enforcement determined that disclosure would no longer compromise the investigation.

With the assent of law enforcement, on December 26 and December 27, 2006, we notified our contracting banks and credit and debit card and check processing companies of the suspected Computer Intrusion (we refer to credit and debit cards as “payment cards”). On December 27, 2006, we first determined that customer information had apparently been stolen from our computer systems in the Computer Intrusion. On January 3, 2007, we, together with the U.S. Secret Service, met with our contracting banks and payment card and check processing companies to discuss the Computer Intrusion.

Prior to the public release of information with respect to the Computer Intrusion, we provided information on the Computer Intrusion to the U.S. Federal Trade Commission, U.S. Securities & Exchange Commission, Royal Canadian Mounted Police and Canadian Federal Privacy Commissioner. Upon the public release, we also provided information to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.

In an (un)related matter, the TJX Board recently approved a $1 Billion stock buy-back. program.

Protecting Banks from Retailers' Data Breaches

State Representative Michael Costello has introduced a bill in the Massachusetts legislature which would make retailers whose information systems are compromised reimburse banks for costs associated with cancelling and reissuing customers' accounts and credit cards. House Bill 213 would make a commercial entity which suffers a data breach liable to a bank for the "costs of reasonable actions undertaken by the bank on behalf of customers of the bank as a direct result of an actual breach of data security...." Types of costs covered include:

• cancelling and reissuing a credit card
• closing accounts and blocking transactions
• opening of new accounts
• refunding unauthorized transactions
  

Retailers would argue that they already pay for credit card fraud in the high interchange fees that the card associations assess on every transaction. In addition, the card associations can (but rarely do) fine merchants who don't follow security procedures.

The Wall Street Journal reports that similar legislation at the federal level is possible:

Massachusetts Rep. Barney Frank, chairman of the House Financial Services Committee, said yesterday that he believes Congress also will pursue data-security legislation that would require the entity responsible for a breach to bear the costs incurred from customer notification and card reissuance. He also favors a "national trigger" for notification about such a breach.

Rep. Frank wrote to Visa and MasterCard in February 2006 complaining that the responsibility for notifying consumers that their financial information may have been compromised fell to banks rather than the retailers who lost the confidential data.

Feds Charge Stop & Shop Thieves with Identity Theft

Four California men were arrested on Monday after being caught in the act of modifying a PIN pad at a Stop & Shop store. They were formally arraigned on multiple felony charges in state court. On Wednesday, Federal prosecutors filed a criminal complaint against the men charging aggravated identity theft and conspiracy to traffic in fraudulent access devices. The dollar amount of the fraud is not precisely known at this time, but media reports suggest it’s at least $100,000 and will continue to grow as the investigation proceeds.

Read the AP story in BusinessWeek

Emoolaw posts discussed the discovery of the modified PIN pads and also the arrests of the bad guys.

Four Arrested in Stop & Shop Data Thefts

The Associated Press reports that 4 California men have been arrested and charged in a scheme to steal card numbers and PINs. They were caught trying to remove a PIN pad in a Stop & Shop store in Coventry, R.I. and are the prime suspects in a series of similar tamperings which we reported on last week.

After discovering compromised devices earlier this month, the store bolted down the keypads in all of the stores and that precaution thwarted the thieves this time. A store security officer saw the men messing with the PIN pad and called the police.

The lesson for other merchants -- consider adding bolts to your data security plan.

EU Parliment Says Central Bank Should "Swiftly" Address Data Protection

The European Parliament has adopted a resolution which admonishes the European Central Bank (ECB) for failing to enforce EU privacy laws against SWIFT (the Society for Worldwide Interbank Financial Telecommunication ) which provided data on financial transactions to U.S. law enforcement. SWIFT is a cooperative of European banks and financial service companies which provides automated systems that enable members to transfer money between and amongst themselves. On a daily basis, SWIFT handles millions of transactions -- many of them cross-border -- totalling trillions of dollars.

The story begins in June 2006 when the New York Times reported that as a part of on-going terrorism investigations, U.S. law enforcement had requested and received from SWIFT access to information on millions and millions of funds transfers made through the messaging system. SWIFT has some operations in the U.S., including a data center with a mirror of all of the transaction data. When American law enforcement served a subpoena on SWIFT seeking access to data in the U.S, SWIFT felt legally obligated to comply. SWIFT explains its actions this way:

SWIFT negotiated with the [U.S. Treasury] over the scope and oversight of the subpoenas. Through this process, it received extraordinary protections and assurances as to the purpose, confidentiality, oversight and control of the limited sets of data produced under the subpoenas. These protections go well beyond and are more stringent than SWIFT’s legal obligations.

Despite the limitations placed on the surveillance effort, the program was heavily criticized, especially in Europe and numerous investigations ensued. Because SWIFT is based in Brussels, the Belgian Privacy Commission looked into the matter and reported its findings. The Belgian report provides the best description of what exactly US officials asked for and how SWIFT responded. The Commission concluded that SWIFT should have informed European authorities of the American subpoenas before complying.

As far as the communication of personal data to the [U.S. Treasury] is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas.

SWIFT, however, strongly disagreed with the Commission's conclusions. The Commission categorized SWIFT as a "data controller" while the group viewed itself merely as a "data processor." SWIFT felt the Commission had misunderstood its role in the financial transactions it facilitates and consequently placed greater obligations upon it than the law requires.

The European Parliament also conducted an investigation. The Committee on Civil Liberties, Justice and Home Affairs held a joint hearing with the Committee on Economic and Monetary Affairs on October 4, 2006 on the interception of bank transfer data from SWIFT by US intelligence agencies. In January, Members posed additional questions to the EU Commission and to the EU Council regarding their knowledge of and response to the matter. The interrogatory posed to the Council pointedly asks: "Why have the Council and the Member States been passive in an affair where their citizens' data have not been protected and where there is a suspicion of business espionage?"

On November 22, Parliament's Working Party on the Protection of Individuals With Regard to the Processing of Personal Data (often referred to as the Article 29 Working Party or WP29) issued a opinion which concluded that the provision of bank transfer data by SWIFT to US authorities violated portions of the EU Data Protection Directive. WP29 agreed with the Belgian Commission that SWIFT should be categorized as a data controller with greater obligations with regard to privacy.

The European Central Bank responded to Parliament in a January 30, 2007 letter setting out its views of the issues. The Central Bank noted that there is no viable alternative to SWIFT for many transactions. With regard to the use of SWIFT services, the ECB said it would seek the consent of individual counterparts in payment transactions before providing their information to SWIFT. In response to suggestions that it take responsibility for ensuring that SWIFT is in compliance with EU data protection rules, the ECB firmly stated that such oversight is outside of its legal authority.

On February 1, 2007, Peter Hustinx, the European Data Protection Supervisor issued an opinion stating that the European Central Bank, as a user and overseer of SWIFT as well as a policy maker, should have exercised appropriate control and supervision over the service. The EDPS requested that the ECB

urgently explore and promote appropriate solutions in order to clearly bring compliance with data protection rules within the scope of the oversight - to the extent in which lack of compliance may affect financial stability and without prejudice to the competences of relevant national or European data protection authorities - as well as to ensure that rules on confidentiality would not prevent relevant authorities from being duly and timely informed where necessary. This would ensure that on future occasions proper data protection safeguards are taken and that the current lack of transparency is avoided.

The opinion continues:

Furthermore, the EDPS stresses that it would not be acceptable that the architecture of the European payment systems would continue to allow and facilitate that personal data relating to any euro payment between Member States are transferred to third countries in breach of the data protection legislation and made available - routinely, massively, and without appropriate guarantees - to third countries authorities. Therefore, the EDPS calls on the ECB, in cooperation with other central banks and financial institutions, to ensure that European payment systems, and in particular the TARGET systems, are fully compliant with European data protection law.

According to The Register, the EDPS can take punitive action against the ECB, but its options are fairly limited. It could bar the central bank from using SWIFT to make payments, but given that there is no alternative for making international payments, that possibility seems remote.

Which brings us back to the European Parliament's resolution on the SWIFT controversy and, more specifically, on the ECB's role in policing data protection in the payment system. The resolution endorses the Hustinx opinion and calls on the ECB to take the following actions:

• as SWIFT overseer, to explore solutions in order to ensure compliance with data protection rules and to ensure that rules on confidentiality do not prevent information from being supplied in good time to the relevant authorities;
• as user of the SWIFT Net-FIN, to explore solutions to bring its payment operations into compliance with data protection legislation, and to prepare a report on the measures taken no later than April 2007;
• as policymaker, to ensure, in cooperation with central banks and financial institutions, that European payment systems, including the updated 'TARGET2' system for wholesale payments, fully comply with EC data protection law; calls for the ECB to provide the Parliament with the assessment of such compliance.

The ECB is supposed to issue a report in April which will presumably address Parliament's concerns.

Stop and Shop PIN Pad Rigging Similar to Canadian Cases

Digital Transactions reports that the Stop and Shop data breach disclosed recently appears similar to a series of Canadian crimes that took place last year. In both cases, PIN pads were modified to capture card and PIN information.

Last summer, Canadian police arrested at least 10 people they said used rigged card terminals to intercept PINs as cardholders entered them at the point of sale as part of a scheme in which they stole $4 million (Canadian) from 18,000 customer bank accounts (Digital Transactions News, June 21, 2006). In what press accounts called one of the most technologically sophisticated cases of debit card fraud yet discovered, the suspects swapped their own card readers for those installed in some 42 retail locations in the Montreal area, then used Wi-Fi connections to send PINs and card numbers to a remote receiver. With that information, they were able to forge cards and loot the associated accounts through ATM withdrawals. Similar cases of tampering cropped up in other Canadian cities last year, as well.

What liability Stop and Shop may have to customers who are harmed by the data breach will turn in part on whether the company took appropriate security measures to protect the PIN pads. Digital Transaction also reports that the security standards for some PIN pads changed at the beginning of the year.

The perpetrators may have exploited an inspection loophole in point-of-sale systems that was closed in the recent update of the Payment Card Industry (PCI) data security standards promulgated by the leading payment-card networks. Under the old PCI standards, POS equipment that did not run on an Internet Protocol (IP) operating system did not require an assessment for PCI compliance, says Scott Laliberte, IT risk group director at Protiviti Inc., a Chicago-based security firm and PCI auditor.

If Stop and Shop's PIN pads did not run on IP, then it will be more difficult for potential plaintiffs to argue that the stores were not in compliance with industry security standards.

Stop & Shop Data Breach -- POS Devices Tampered With

The Boston Globe reports that point-of-sale (POS) devices at several Stop & Shop locations in Rhode Island and Massachusetts were tampered with allowing thieves to steal credit and debit card information and PIN numbers. Stop & Shop issued a public letter to its customers about the incident and published Frequently Asked Questions on its website. While the Stop & Shop FAQs state that "no fraudulent transactions relating to debit or credit cards used at these store locations have been reported to Stop & Shop," the Boston Globe story says that a "bank notified Quincy, Mass.-based Stop & Shop this week that illegal purchases were made."

So far, no information on the make or model of the POS devices or how they were tampered with. If litigation ensues, one wonders if the hardware manufacturer will brought into the fight.

TJX Class Action Lawsuits

At this point in time, there are 5 class action lawsuits filed against TJX and, in some cases, its acquiring bank Fifth Third. Four of the cases attempt to assert claims on behalf of all individuals whose personal information was compromised by TJX. The fifth case (Amerifirst) asserts claims on behalf of all financial institutions which issued credit and/or debit cards that were compromised by the TJX data breach. The cases are summarized in the chart below.

Plaintiff(s)	Defendant(s)	Court	CA number	Filed
Wood,Willoughby	TJX, Fifth Third	N.D.Ala.	07-cv-00147 (RDP)	01-19-07
Miranda, Farley, Jenkins	TJX, Fifth Third	D.P.R.	07-cv-01075 (FAB)	01-26-07
Mace	TJX	D.Mass.	07-cv-10162 (WGY)	01-29-07
Amerifirst Bank	TJX, TJ Maxx, Fifth Third	D.Mass.	07-cv-10169 (JLT)	01-29-07
Gaydos	TJX, Fifth Third	D.Mass.	07-ca-10215 (WGY)	02-05-07

For some reason, not all of the columns in the chart are viewable on the blog. You can view the entire chart here.

I'll post the complaints as well as an analysis of each case in the next few days.

Massachusetts AG to Lead 30 State Probe Into TJX Data Breach

Massachusetts Attorney General Martha Coakley announced her office will lead a multi-state civil investigation into the recent data breach at TJX Companies, parent to TJMaxx, Marshalls, HomeGoods and a number of other well known retail chains. Coakley has asserted control of the investigation because TJX is based in Framingham, MA. Eweek.com reports that 30 other states have joined the probe.

The Massachusetts Bankers Association reports that thieves have made fraudulent use of credit and debit card information from the TJX incident in Florida, Georgia and Louisiana, as well as in Hong Kong and Sweden. Nearly 60 banks in Massachusetts have been contacted by the card associations and told that information about their card holders was disclosed. Banks are notifying their customers and in many cases are reissuing cards.

The fact that card holders and banks are (allegedly) able to trace particular fraudulent transactions back to a particular data breach by a particular corporation means the TJX matter is going to be very significant. It is the first big case in which people harmed by a data breach will be able to identify and then, of course, sue the company responsible for the disclosure of their personal information. Will there be class action lawsuits? Oh, please! Half a dozen have already been filed and my guess is that's just the start. More info on the class action litigation in a future post.