Complain about a product or service

Data From T.J. Maxx Breach Connected To Florida Fraud

By Martin H. Bosworth
ConsumerAffairs.com

March 22, 2007

TJX • TJX To Pay Mastercard $24 Million For Data Breach • TJX Settles with FTC Over Data Breach • TJX Settles with Banks over Data Breach • TJX Settles Visa Suit over Data Breach • Attorneys General Oppose TJX Data Breach Settlement • TJX Data Breach Victims Reach 94 Million • TJX Data Breach Settlement Has Strings Attached • Wireless Hackers Suspected In TJ Maxx Breach • TJX Data Breach Called "Biggest Ever" • Data From T.J. Maxx Breach Connected To Florida Fraud • TJX Data Breach Bigger than Earlier Estimates • Massachusetts, Rhode Island Open TJX Probes • TJX Sued for Loss of Consumer Data • Hackers Hit T.J.Maxx, Marshalls • Congress Takes On Data Security --- • TJX Customers: What To Do

Personal information stolen in the massive TJX data breach was used by thieves to make $8 million in purchases from Wal-Mart stores in Florida, according to authorities.

The thieves encoded the data on "clone" credit cards, then used the clone cards to purchase gift cards from Wal-Mart and Sam's Club stores throughout the Sunshine State. The crew of thieves used the gift cards to buy computer games and high-end electronics.

The Florida Department of Law Enforcement and the Gainesville Police Department reported that six individuals had been arrested and charged with organized intent to defraud, a first-class felony. Authorities said they were pursuing four other individuals in connection with the scheme. The Florida Department of Law Enforcement claimed that it had notified the TJX company of the fraud ring in November 2006.

The TJX company, owner of retail store chains T.J. Maxx and Marshalls, announced in January 2007 that it had discovered a breach of customer payment data it had been storing, leading to a wave of cancellations of credit and debit cards.

TJX steadfastly refused to reveal how many customers had been affected, but cards were canceled as far away as Canada and the United Kingdom.

TJX first estimated that the breaches took place between May and December of 2006, but later admitted that it had detected breaches of its security as far back as July 2005, and other incidents of fraud in 2003 and 2004.

The embattled company is facing inquiries into its security failures in Massachusetts and Rhode Island, as well as multiple lawsuits from aggrieved customers.

Most recently, the Arkansas Carpenters' Pension Fund, one of the largest shareholders of TJX, filed suit against the company for denying access to information detailing the breach and the security failures. The suit was filed in Delaware, which has state laws granting shareholders the right to access company documents under particular circumstances.

The Federal Trade Commission (FTC) had also confirmed that it was investigating TJX in the wake of the breach, but details of the investigation remain unknown.

Black Market Bazaar

How did a crew of Florida fraudsters get access to information from a data breach in a Massachusetts company?

Most likely, they took advantage of the thriving "underground economy" that trades in personal information. Information acquired in data breaches, laptop thefts, and other forms of hacking is often sold in black-market Internet chats that cater to criminal groups. According to a recent report by Symantec, a full suite of personally identifying information can be bought for as little as $14.

Criminals are getting increasingly sophisticated regarding the use of stolen information. Rather than simply taking an individual's identity outright, they will combine parts of different identities to create a new "synthetic" identity, one much more able to pass tests of fraud verification and open new credit accounts.

Hacker rings will often create "clone" credit cards from items as innocuous as hotel key cards and use them for small purchases that don't require personal identification or trigger fraud detection measures.

In the case of the Florida fraud, the suspects used multiple gift cards totaling $400 each to pay for their purchases -- because gift cards with a value of $500 or more would have required them to provide identification when making their buys.

Concealed Damage

The difficulty of tracking clone cards and synthetic identities distorts the actual picture of overall identity theft crime.

Typically, companies or agencies who have suffered a data breach will claim no identity theft or fraud was detected after the breach was discovered, but criminal rings will wait weeks or months to start using the data they purchase, and will mix it with other pieces of data to obscure the trail.

In addition to Symantec, Javelin, Gartner, and the FTC have all put out reports documenting trends in fraud complaints, identity crimes, and losses from theft. Although the Javelin study claimed that identity theft was on the decline, the other studies claimed to see increases across the board.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |