The scope of the security breach disclosed this week by The TJX Companies Inc. is starting to make itself evident, with more than three dozen banks in Massachusetts alone now reporting that cards they issued have been compromised.
A spokesman for the Massachusetts Bankers Association said this afternoon that 40 of the MBA’s 205 member banks have said they suffered card compromises as a result of the breach at Framingham, Mass.-based TJX. That number is sure to grow as more banks report to the association, he added, noting that only about 60 have done so thus far.
In addition, the MBA spokesman said some of the banks affected by the breach have confirmed through credit card companies that the information stolen in the breach includes so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards.
Benson Bolling, assistant vice president of lending at the Alabama Credit Union in Tuscaloosa, also said this week that based on alerts from Visa U.S.A. Inc., Track 2 data appears to have been compromised in the breach.
Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion. Its apparent inclusion in the breach at TJX provides fresh evidence that IT security remains fragile at some large retailers despite efforts by credit card companies to get them to better protect customer data.
Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard being pushed by Visa, MasterCard International Inc. and other credit card companies. But many retailers continue to do so, often because their point-of-sale systems capture and store the data by default.
Bolling said Alabama Credit Union is recalling and replacing about 2,900 Visa debit and credit cards after having received the alerts from Visa about card information — including Track 2 data — being compromised in a retail breach. The alerts didn’t identify the affected retailer, Bolling said.
Framingham, Mass.-based TJX said Wednesday that an “unauthorized intruder” gained access to its systems in mid-December and may have made off with the card data of an unspecified number of customers in the U.S., Canada and Puerto Rico, and possibly in the U.K. and Ireland as well.
The retailer, which owns chains such as TJ Maxx, Marshalls and Bob’s Stores, didn’t disclose the number of shoppers that may have been affected by the breach, saying that the full extent of the data theft “is not yet known.”
Ben Cammarata, TJX’s chairman and acting CEO, said in a letter to customers on the retailer’s Web site that company officials were “extremely disappointed” when the intrusion was discovered. TJX has since hired both IBM and General Dynamics Corp. to help it evaluate the extent of the data compromises and implement unspecified security upgrades designed to better protect its systems. In a statement released yesterday, Daniel Forte, CEO of the Boston-based MBA, criticized what he said was TJX’s characterization of itself as a victim of the data breach, “when what it appears they may have been doing is capturing data that is unnecessary.”
Further protections The breach at TJX shows why it’s so vital to purge the Track 2 data from POS and other systems, said David Taylor, vice president of data security strategies at Protegrity Corp., a Stamford, Conn.-based company that offers PCI compliance services. It also underscores the importance of encrypting sensitive data, another step that the PCI standard requires retailers to take, Taylor said.
The latest incident is sure to lend even more urgency to the efforts to get retailers to adopt the PCI requirements, said Avivah Litan, an analyst at Gartner Inc. Litan said that so far, only about 50% of Tier 1 merchants — those processing more than 6 million credit card transactions per month — have become fully compliant with PCI, even though more than 18 months have passed since the requirements went into effect.
TJX is a Tier 1 merchant and may even qualify as a card processor because of the sheer number of transactions it handles through its various retail chains, Litan said. That would require it to adhere to even more stringent security requirements, she said, adding that she expects credit card companies “to come down really hard” on TJX for its failure to protect customer data.
At the same time, banks that issue cards should be looking at ways to make card information less valuable to thieves in the event that the data is stolen, Litan said. For example, stronger forms of authentication could be used when transactions are being processed, she said. Another possible approach is to require one-time passwords when credit and debit cards are used.
The technology needed to support both of those steps is available and can be implemented fairly easily, according to Litan. But few banks appear to be doing so, she added.
The case for adopting such measures is strengthened by the fact that fraudsters are able to distribute stolen card information and make use of the data quickly, Litan and other analysts said.
According to John Buzzard, a fraud investigator at Fair Isaac Corp. in Minneapolis, information stolen in data breaches is sometimes used in less than 24 hours. Typically, data thieves do a quick “dump check” to see if stolen card numbers are valid and then either sell them for up to CDN$29 apiece or use them to make one or two significant purchases or cash withdrawals, Buzzard said.
To reduce such fraud, he said, card issuers should implement measures for verifying that names, card numbers, expiration dates and other data match the information on record when transactions are being processed. Buzzard said he thinks “a large percentage of card issuers are doing this sort of authentication” already — but not all of them.
Stronger end-to-end authentication of credit and debit transactions by issuing banks could reduce the risk of card fraud, Taylor said. “But one of the things that is worth emphasizing,” he added, “is that the customer data belongs to the merchants and they need to take responsibility for it.”