TJX Settles Investor Lawsuit Related to Data Breach

Posted on July 7, 2010 by Colin J. Zick

According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breachBloomberg News has reported the case was settled for $595,000 in legal fees and an agreement regarding enhanced oversight of customer files.   There is no reference to this suit in TJX's most recent Form 10-Q

Tags: , , , ,

Informants & Alberto Gonzalez: She Swallowed the Spider to Catch the Fly

Posted on September 17, 2009 by Aaron Wright

In August, Albert Gonzalez was indicted for the theft of credit and debit card information from Hartland Payment Systems, the largest known breach of its kind, while awaiting trial for a similar attack against TJX, the second largest known breach of its kind.  Last week, Gonzalez pleaded guilty to nineteen charges relating to his role in the TJX breach (see Gonzalez's 2008 indictment (.pdf) for list of the various charges).

One of the most interesting facts that has come out about Mr. Gonzalez in the wake of news that he was responsible for the Heartland incident is that he was employed by the Secret Service as an informant in the TJX matter. It appears that Mr. Gonzalez first became an informant when he was arrested in 2003 as the leader of an identity theft ring, and he apparently continued to work as an informant for the government even while he was allegedly committing these thefts. 

Interestingly, there are some indications that Mr. Gonzalez may have been aided by another government informant in committing the Heartland attack. The indictment for the Heartland attack lists an unindicted coconspirator by initials only, which means, in the words of Mark Rasch, a former Justice Department cyber crime prosecutor, “[I]t's quite likely that the government is using an informant against Gonzalez, their previous informant.” So, of the four people the government believes to have been involved in the Heartland attack, fully half of the alleged hackers (and the only Americans believed to have been involved in the attack) were apparently employed by the Federal Government to help prevent attacks of just this sort.

Links:

Tags: , , , , , ,

Trends in Data Breach Incidents, Part 1: Identity Theft Resource Center (ITRC) Reports Breaches Up 47% in 2008, Hackers Only Responsible for 13.9% of All Incidents

Posted on January 20, 2009 by Aaron Wright

On January 2, 2009, the Identity Theft Resource Center (ITRC) released its report(.pdf) on data breaches in the United States in 2008 (you can read the Washington Post’s primer on the ITRC’s findings here). The raw numbers are headline grabbing — 656 data breaches in 2008, a 47% increase from 2007. The sharp increase in numbers from 2007 to 2008 could be a result of an increase in data breach incidents, and most of the reporting on the ITRC’s report take this view, but it could also be due to increased media interest, new mandatory reporting laws, and a greater public interest in the issue. As in 2007, the ITRC relied on public reporting of breaches to compile its list, so the ITRC’s findings should be expected in increase as public reporting of data breach incidents increase.

The ITRC also reports that over 35.5 million personal and/or financial records are known to have been exposed in 2008. This number includes only those breaches where a public report indicated how many records were actually exposed, 402 of the 656 reported breaches including the 16 breaches where no records were actually exposed as they were encrypted or in some other way protected, and does not include any of the 254 breaches where an unknown number of records were exposed. So the actual number of exposed records is likely much higher, possibly in the range of 58 million records exposed (assuming that the breaches where the numbers are known are representative, and that the underlying math was done correctly).

Beyond the raw numbers, the trends in data breaches revealed by the ITRC report are also interesting. When we hear about personal information being stolen, security breaches, and identity theft, often our first impulse is to blame hackers and Internet criminals, strangers to an organization that seek to take advantage of flaws in firewalls, networks and computer systems to obtain valuable information. This assumption may be the result of the number of high profile breaches that have been traced to hackers, including:

Of course, while hackers remain a threat, the ITRC Report suggests that businesses may face greater threats elsewhere. 

The ITRC Reports statethat in 2008 only 91 breaches were the result of hacking, 13.9% of all known breach incidents, while 86.1% of incidents were due to accidental exposure, “data on the move,” insider theft, and subcontractor error as well as nearly 25% of all breaches that the ITRC has not categorized. 

13.9% is not an insignificant number, and the fact that hacking accounted for a greater percentage of the 35.5 million records exposed, 19%, shows how important working to prevent this sort of breach can be. However, to focus on hacking exclusively, when worrying about data breaches, is to ignore the remaining 86.1% of security breaches. This series of posts will look at the trends in reported data breaches and discuss key incidents in each category and useful prevention strategies.

Links:
Tags: , , , , , , , ,