TJX Security Breach Risks Consumer Identity

By admin | Aug 13, 2007
If you are new here, you may want to subscribe to our feed.

Here we go again. This is part of the identity theft problem. You can do all you want about keeping your data out of the hands of thieves. You can shred all your documents. You burn any unused or used credit cards. But you can’t do security for retailers that you frequent. TJX is the parent company of some successful retail chains like TJ Maxx.  This past spring, TJX had 45 million credit card and debit card customer numbers stolen.  You read that right – 45 million.  That would make it the largest breach of customer information ever.  My mouth fell open bigger than a kid’s mouth on Christmas morning when I heard that figure the first time.  But, as the details of the breach come to light, my shock has turned to anger.

It seems that the attackers used in store kiosks to commandeer most of the data needed.  Yes, you read that right.  Here’s the deal.  Kiosks were set up in these stores to provide applications to folks wanting jobs in the stores.  This is not uncommon.  I’ve read before of different hacks to attain the underlying operating system on these units.  Most the hacks are rudimentary because kiosks tend to be poorly configured and secured.  But here’s the kicker.  These kiosks were attached to the corporate network.  And, not only that, but those kiosks were allowed unfiltered network access.  That means that no firewall was set to check that traffic coming from those kiosks.  But the attackers still needed a way to get their bag of tools onto the network.  I mean, if you’re going to hack around, you want your kit with you.

Well, have no fear, because those kiosks also provided USB ports on the back.  Yep, that convenient slot also allows things like mice, keyboards, or printers.  But our attackers loaded up their USB drives with all manner of hacking goodness.  Then they plopped their wares onto the kiosk and it was play time.  Unfettered access to a corporate network.  Now it was time to harvest customer account information at will.

When I first started reading about the breach of customer data in the TJX case, I was, of course, concerned and shocked.  But, now that details are emerging on the lack of security protocols at TJX, I am angry.  And I haven’t even talked about their shoddy transaction security or their storage of customer information.  Some of those practices are just as bad.  This is similar to the recent State of Ohio taxpayer security breach.  And it highlights something that is extremely frustrating and scary.  You, the consumer, can do all you can to protect your identity.  But your state government and local retailers may be handing your information over to thieves while you are shredding your bank statements.

No TweetBacks yet. (Be the first to Tweet this post)



Related Posts:

Life Lock Cages Identity Theft
One of the worst crimes is having your actual identity stolen. People who are victims will tell you the...

Heartland Payment Systems Security Breach
Well I don't find it particularly "heart"ening that they chose this day to announce a security breach.  I just love...

Hackers Pillaged TD Ameritrade Database
And here we go again. It gets old to hear about large corporations and governmental bodies being hacked. ...

Identity Theft
Identity theft is becoming an increasingly difficult problem. These are some ID theft statistics, according to the FTC's Synovate...

Huge Bank of New York Mellon Security Breach
It's one thing for a financial institution to have a data breach through hardened systems.  I understand that online and...

Leave a Comment

If you would like to make a comment, please fill out the form below.

Name (required)

Email (required)

Website

Comments

Get Adobe Flash playerPlugin by wpburn.com wordpress themes
© 2009 PaulTech Network