Skip to main content
February 23, 2007

TJX Data Theft Just Keeps Getting Worse

TJX issued a press release yesterday coming clean on what they know about the breach of their corporate network. They are now admitting that they have been compromised as early as July 2005 and continued to be compromised up until December 2006. It is unlikely only one attacker found the vulnerabilities exploited. I wouldn't be surprized if dozens of attackers found their way into the network during that time.

One of the pieces of data stolen was driver license numbers given by customers when returning merchandise to "T.J. Maxx, Marshalls, and HomeGoods stores in the U.S. and Puerto Rico for the last four months of 2003 and May and June 2004." Drivers license numbers in many states are the same as social security numbers. Along with names and addresses this is the "keys to the kingdom" for identity theft. My state, Massachusetts, offers an alternative license number. When you renew your license they ask you whether or not you want an "S number" or to keep your "old number". I don't know why anyone would want to keep their social security number.

Giving up such sensitive personal information just to return merchandise has always made me a bit nervous. Now I dont feel paranoid. If you give up information in the current corporate information security climate, it has a high likelihood of being stolen. Presenting a drivers license number to return merchandise only benefits the merchant. It protects them by being able to track the people who abuse the store's return policy. It is likely that the merchant is going to hold on to this information for a long time. In such a one sided transaction of sensitive information the merchant has a duty to be a trusted custodian of this data and go above and beyond the PCI data standards. Yet, this storage of personal info is completely outside of PCI and is unregulated.

Consumers have to start to demand protections for personal data handed over to merchants when there is no benefit to them. If there are no assurances of protection they should refuse. I was asked yesterday for my social security number in order to file a claim for a broken window on my car. I asked why the number was needed and the woman on the phone couldn't give me an answer. I said I was uncomfortable giving over my social security number when it wasn't required and there was no reason other than the insurance company's convenience. She then said they would send a form in the mail asking for it. I am not planning on filling it in until I get some better answers.

Related Content

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.