playing the dumb card

I'm assuming this is all down to online shopping and not orders made in store right? Why do they need to hold the credit card details of that many cards after payment has been authorised and taken? And if it isn't online, why would they have the corresponding names and addresses for all those people, the two bits of information you're always meant to keep separate?

Or is this my naivety, that once you purchase from a shop the company won't be interested in tracking your shopping habits every step of the way... almost makes me want to move back to cash payment again...

We need a disclosure law for the UK

I like to indulge in a bit of traditional English xenophobia and casual racism as much as the next guy, but I can't believe that this is solely a problem for the merkins.

At least when their monolithic corporations put all of their customers at financial risk they have to cough up to it.

Re: John MacIntyre

>I'm assuming this is all down to online shopping and not orders made in store right?

The article states "after hacking into systems involving card authorisation". That doesn't give any indication as to whether these are in store or not. Chances are the data would travel through the same system irrespective. So to jump on the internet fraud bandwagon at this stage would seem a little hasty/speculative.

>Why do they need to hold the credit card details of that many cards after payment has been authorised and taken?

Who said this occurred AFTER that?

>And if it isn't online, why would they have the corresponding names and addresses for all those people, the two bits of information you're always meant to keep separate?

The article clearly states "Hannaford said hackers might have accessed customer credit and debit card numbers - but not the corresponding names or addresses"

>Or is this my naivety, that once you purchase from a shop the company won't be interested in tracking your shopping habits every step of the way... almost makes me want to move back to cash payment again...

Companies DO track what you buy to build up a marketing profile. It's usually done via storecards rather than credit card data. Certainly, that would be unlawful in the UK and I expect so for the US (that said, the US do have some odd data protection legislation).

Something doesn't fit here...

If only credit card numbers and expirations were revealed, I believe that isn't enough for someone to execute fraudulent transactions, as, IIRC, one also needs the cardholder's name. How, then, do they get thousands of fraud cases using these numbers?

definition of data security compromise

Spectacular announcements about massive data security breaches do the public little good. The implication of these announcements is that some data (i.e., that which are the subject of the announcements) are more exposed than other data. As a practical matter that is false. All personally identifiable data are more or less exposed all the time. And successful exploitation of that data by an identity thief requires a lot of work and luck. Socially responsible data-holders should set a high threshold of proof before concluding that a "data security breach" worthy of announcement has occurred for any given unit of data. (Data-holders should of course consult their attorneys.) http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html

Another snafu but...

might not be as bad as it sounds. Card numbers by themselves are pretty useless. To make a transaction you'd need as a minimum the card holder's name, issue/expiry dates and cv2 code. Interestingly many card issuers don't need the address for verification.

I'm a Mainer

that shops at Hannaford all the time, and am trying to figure out if someone is having a field day with my cash. Still trying to figure out if I need to cancel my account, but nothing has shown up as of yet. My mom thinks it's funny that she had to inform the family tech of such an event. She has an odd sense of humor.

@benjamin wright

After talking with a colleague in the area, I understand that the company made the disclosure on the advice of their legal staff - based on their legal staff's understanding of compliance with state law on disclosure.

@rainforestguppy

I just assisted a friend in a PCI compliance audit and needless to say, the fines that are levied against merchants are NOT equal. TJ Maxx was a wake up call for the entire credit/debit industry (creditors, the processing companies and the service companies that write the transaction handling database software). Did anybody pay a damn bit of attention? No. Did anybody scream for sweeping reform? Hardly. Instead of doing what's right, by protecting the data through encryption, at every level... Or even reducing the number of hops a transaction has to take, between merchant/creditor/consumer, track data, account numbers and personal information gets bounced all over the place.

I must qualify my last sentence based on the fact that only within the last year and a half (in my experience) software publishers are now finally warning merchants of the possible risks in using older software.

The fines and penalties levied against TJ Maxx are no where near the same percentage that are placed on smaller merchants. For example, one business I worked on had approximately 1000 cards and $200,000 worth of fraudulent charges that were ultimately traced back to a compromised and unencrypted POS system they used. Once we got it all secured and mitigated, and went through several PCI compliance reviews, with fines and other associated costs, the business had to pony up almost $100,000. The happened to be more than 10% of their gross annual revenue and if they're lucky and can stay in business, they might become profitable again in 5 or so years.

Yet TJ Maxx has a limit on the amount they're liable for? Sorry, but their entire executive board should be behind bars. And this store gets compromised and roughly 4.2 million cards are potentially compromised? They should be shut down. Period.

Oh, as for the secret service... Unless the fraud amount is less than something in the high 6 digit range, they generally won't even return a phone call. We got more help from the FBI than the Secret Service, but sadly, due to the international nature of all the fraudulent transactions, their hands were somewhat tied.

using just cc number and expiry

I know of payment machines that take a credit card that dont require any pin or any other type of authorisation.. so dumping the cc number and exp to a card and then using it in one of these types of machines could be one way to defraud ?

@robert

It is possible for merchants to process transaction with just the name, card number, and expiry dates. In practice however very few are prepared to do so because of the extra liability they take on. For example if they go ahead with a transaction minus the cv2 code, the merchant and not the card issuer then becomes liable for chargebacks.