Skip to main content

Class action bank lawsuit against TJX: When the levee breaks

Well this may have seemed inevitable, but the uneasy truce between retail vendors and merchant banks (credit card providers) has broken. Banks are gearing up a massive class action suit against TJX, the parent company of TJ Maxx, which recently revealed the shocking extent of the break-in which resulted in the theft of 45 million credit card numbers and other data from their network. Forty million credit card numbers were stolen over a period of two years or more by crackers who had extensive access to systems handling sensitive data throughout that time. Investigations of consumer fraud revealed a pattern of exposure at TJ Maxx stores, leading in turn to discovery of the break-in.

Banks Hit TJ Maxx Owner With Class-Action Law Suit

This is an interesting decision on the part of the banks, as the financial industry may one day find themselves on the receiving end of similar class action law suits brought about by other banks or consumer groups when data theft can be traced back to their own security foibles.

In fact, the TJX event became the largest on record to date by displacing the 2005 cracking of CardSystems Solutions, a credit card transaction processing company who suffered a network intrusion which exposed 40 million credit card accounts. (Regulators Start Inquiry in Data Loss)

If it keeps on rainin' levee's goin' to break
If it keeps on rainin' levee's goin' to break
When The Levee Breaks, got no place to stay.
-- Led Zeppelin

Technorati Tags: , , , , , , , , , , , , , , ,


Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber