Sunday, April 8, 2007

TJ Maxx, Marshalls, and other dept. stores hacked!

In Chapter 8 of my book, I discussed what was the largest cyberattack at the time of its writing. That attack was against CardSystems, a credit card payment processor, in 2005 in which 43 million credit card numbers were exposed to attackers (but only about 263,000 were stolen). In late March of this year, the TJX group of retail department store companies (which includes TJ Maxx, Marshalls, HomeGoods, A.J. Wright, and Bob's Stores, etc.) announced they were the victim of what is being called by some as the largest cyberattack of all time in which over 45.7 million credit and debit card numbers was actually stolen.

The attack against the TJX group of companies reminds us that security vulnerabilities are still very prevalent, and the attacks due to them are getting worse because of systems with security design and implementation flaws. From my reading of various articles and TJX's SEC filing on the issue, it seems that there wasn't just a single flaw that resulted in the security breach, but that there were many flaws in TJX's security practices, which together resulted in such a spectacular attack. The data stolen even dates back to transactions from 2002. In the coming months, a Federal Trade Commission investigation will take place. If you ever shopped at any of these retail chains, you may want to consider keeping an eye on your credit report and credit/debit card statements to watch out for fraud and identity theft.