-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
World’s Largest PPI Theft Announced Yesterday
Written on March 29, 2007
Leave a Comment
|
The largest exposure of personal private information (PPI), affecting 45.7 million consumer credit card numbers, was reported by the Framingham, Mass.-based retail giant TJX Companies, Inc.
The exposure was released in their quarterly SEC filing and announced by the Boston Globe last night, although the incidents happened in December 2006; the gag on the press was requested by law enforcement trying to investigate the crime. Within the filing, the company also indicated that “a relatively small number” (455,000) customers’ driver’s licenses and other PPI was stollen as a result of the release.
TJX said the attacker exploited a flaw in their computer network that handles credit, debit, check, and merchandising return transactions for its stores TJ Maxx, Marshalls, HomeGoods, TJX Bob’s Stores, and AJ Wright stores in the US and Puerto Rico, Ireland, and the UK; Winners and HomeSense stores in Canada.
A special helpline is in place for TJX customers who have questions about the data breach. Customers may reach the helpline toll-free at 866-484-6978 in the United States, 866-903-1408 in Canada, and 0800 77 90 15 in the United Kingdom and Ireland.
Ironically, Mass. is one of the 19 states in the US that does not have a data breach notification or information system security law in place to protect consumer PPI; a bill was first introduced last year by Rep. Michael Costello, a Democrat in the Massachusetts House of Representatives, to address this problem but it was shelved last year while lawmakers took up healthcare and other issues. This means that, unlike 31 other states, TJX is not under any obligation to announce the breach to end consumers nor is it considered a federal or state crime to “accidentally” release 45.7 million credit card records. Consumers are left to fend for themselves, capable only of filing a civil tort for damages individually against TJX should the breach be proven to be consequential and material.