Compliance Management, Critical Infrastructure Security, Privacy

Stolen TJX data used in Florida credit card fraud ring; Arkansas organization sues to see firm’s data protection


Six Florida residents were arrested this month, and authorities have issued warrants for four others, for allegedly launching a multimillion-dollar state-wide credit scam with information stolen in the TJX Companies data breach.

TJX, the parent of T.J. Maxx, Marshalls and other discount retailers, was the victim of a network hack that breached the personal and financial information of an unknown number of customers in 2005 and again last year.

Two cases of credit card fraud in Gainesville, Fla. launched an investigation by local police and the state Department of Law Enforcement, according to a Tuesday report in the Gainesville Sun.

The suspects allegedly took stolen credit card numbers and placed them on encrypted magnetic strips, then attached them to the back of fake credit cards, according to the report.

The suspects, ages 19 to 40, traveled around Florida purchasing large amounts of gift cards with the fraudulent credit card information, according to the Sun.

Paul Stephens, policy analyst at the Privacy Rights Clearinghouse, told today that the Florida arrests most likely represent only a few of the fraudsters who purchased the TJX credit card information.

"It appears that the suspects had purchased this information from the hackers, so it’s clear that there is a black market for this type of information. This may just be [the beginning], because there are probably many other individuals throughout the country who have purchased this information," he said. "Hackers do not do all of this work to only sell the information to one small group of people."

Calls to TJX seeking comment were not returned.

Meanwhile, the Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock, filed suit against the company on the grounds that TJX did not provide information on safeguards it’s added to protect customer data.

The organization filed suit in a Wilmington, Del. court on Monday, according to reports by Dow Jones Newswires.

The Federal Trade Commission announced last week that it is investigating the breach. In February, TJX confirmed that credit card and debit card transactions completed between January 2003 and June 2004 at its U.S., Canadian and Puerto Rican outlets were compromised. The company had previously reported that the information was potentially accessed.

The company also said that it has discovered that the portion of the network that processes T.K. Maxx transactions may have also been hacked. T.K. Maxx stores are located in the U.K. and Ireland.

Stephens said stockholders will occasionally sue firms to disclose corporate practices, but added, "This is the first time I’m aware of where it’s been done to see what the data management practices are."

Vijay Bisani, eIQnetworks CEO, told today that corporations should monitor sensitive data because hackers will patiently test networks for exploitable holes.

"Not just [TJX], but any company out there that deals with confidential information or credit card information should have a practice in place to monitor the data," he said. "You can see the pattern out there. We all know that the bad guys don’t just go and do everything at once. They do it over time, and they do it in multiple locations, and see what systems are vulnerable to them and how they can get the sensitive data."

Click here to email Online Editor Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.