Tuesday, August 5, 2008

"TJ Maxx 11" Charged With 40 Million Card Theft

A group of hackers that spent several months downloading 40 million consumer credit card profiles from horribly insecure wireless networks operated by TJ Maxx have allegedly been found, arrested and charged.

Yes, I know: "TJ Maxx Eleven" isn't about to be turned into a movie. But it certainly has the makings of one.

The hackers, which took turns monitoring wifi traffic from cars parked outside the stores, found security was so lax on TJ Maxx's wifi networks that they allegedly left notes for each other in plain sight in the databases they hacked into - informing their cronies which records still needed to be uploaded/stolen.

"Dave, I'm fresh out of Doritos and trail mix... suggest you start downloading the credit card records from the August purchases table while I reload..."

Database hacks are horrible because consumers are entirely at the mercy of corporate policy - there is almost nothing they can do aside from buying insurance.

And getting hacked doesn't just mean your credit is up for grabs - it creates inconvenience, and potentially large costs for banks and credit unions who must reissue new cards.

The hack was allegedly the biggest ever. The DoJ is calling it an international conspiracy and says that nationals of The Ukraine, Belarus, China and Estonia are responsible. These guys will be going away for a long, long, long time.

The TJ Maxx IT security guys? Still at large.

Note: TJX Corp is a large holding company and operates the TJ Maxx chain, plus Barnes and Noble, BJ's Boston Market, Dave and Busters, DSW shoe stores, Forever 21, Office Max, Sports Authority and the Wholesale Club.

I'm sure they have a different group running IT security these days. Or at the very least, a much larger security budget.

No comments: