Data Theft Grows To Biggest Ever – Fraudulent Purchases Pop Up in Breach Of 45.7 Million Shoppers’ Records

At least 45.7 million credit and debit card numbers from customers in the United States, Britain and Canada were stolen over a period of several years from the computers of TJX, the discount retail giant disclosed in a regulatory filing this week. The figure, which the company said is incomplete, represents the largest reported computer theft of personal data in history.

TJX, whose 2,500 stores include clothing chains T.J. Maxx and Marshalls, reported the breach in January but disclosed its massive scale for the first time in a filing made to the Securities and Exchange Commission after business hours Wednesday.

The computer breach is significant not only because of its scope but also because the hacker or hackers had access to the decryption tool used to decipher sensitive encrypted information and an ability to intercept data as shoppers’ credit transactions were being approved.

Thieves have been using the data to make fraudulent purchases in Florida and as far away as Sweden and Hong Kong, according to police and bank officials.

Also taken were personal ID numbers, related names and addresses, and drivers’ license, military and state ID numbers from 455,000 shoppers who made merchandise returns in the United States and Puerto Rico.

{This cautionary story shows why Congress should act now to require the nation’s electronic health information systems to build in ironclad security and privacy controls. The current market is NOT building electronic health systems to protect medical privacy, but to facilitate access by the over 600,000 health-related businesses called ‘covered entities’, facilitate data mining, and facilitate unwanted secondary uses of our sensitive medical records. Medical records contain information about our minds, bodies and genetics, as well as our financial and demographic information and our social security numbers. We cannot afford to place all 295 million Americans’ futures at risk for job, credit discrimination, and identity theft by building an unsafe digital health system. Privacy-enhancing technology exists now–which could be used to provide consumers with exquisite control of access to their medical records down to the data field and state-of-the-art security protections to stop hackers and thieves. Congress has to require all electronic health systems to use these ‘smart’ technologies. ~ Dr. Deborah Peel, Patient Privacy Rights}

Databases Called Lax With Personal Information

The Social Security numbers of millions of Americans, including Vice President Cheney and celebrity heiress Paris Hilton, are available to many subscribers of a widely used information database company, U.S. Sen. Charles E. Schumer (D-N.Y.) charged yesterday

Westlaw’s subscribers include government and law-enforcement agencies, law firms, corporations and news-gathering organizations. Westlaw, a division of Thomson Corp., said Social Security information is restricted to government agencies and a small number of corporations that need it, such as insurance companies investigating fraud.

“Fewer than 10 non-government customers have access to this type of information,” the company said in a written statement. “Furthermore, our terms of use restricting access go beyond federal law and current industry standards.”

But Schumer said the information is too easily available to any level of employee, adding that his investigation was prompted by complaints from consumers. He said the company has ignored his requests to restrict access to only those individuals who demonstrate they need the information, such as law-enforcement officers.

Schumer’s concerns add to a controversy over companies that buy and sell such data with little oversight to protect personal information.

Yesterday, Senate Judiciary Committee Chairman Arlen Specter (R-Pa.) said the panel would hold a hearing in response to the recent theft of Social Security numbers and other financial data of more than 100,000 people from ChoicePoint Inc., a Georgia-based database firm.

After setting up accounts with the company, identity thieves were able to gather information on at least 145,000 individuals.

“It’s time to turn some sunshine on these developments so the public can understand how and why their personal information is being used,” said Sen. Patrick J. Leahy (D-Vt.) in requesting hearings.

In the House, Rep. Joe Barton (R-Tex.), head of the Energy and Commerce Committee, has directed his staff to investigate the storage and security practices of database companies.

Schumer said comprehensive legislation is needed in an area that is largely unregulated at the federal level and governed by a patchwork of sometimes-conflicting state laws.

California, for example, requires companies to report breaches of their systems that result in exposure of personal data, a law that prompted disclosure of the theft at ChoicePoint.

Sen. Dianne Feinstein (D-Calif.) has proposed a similar federal law, which has been opposed by many technology and database companies.

In a news conference, at which were shown reproductions of Web pages displaying personal data of famous people, Schumer detailed how his staff was able to quickly retrieve Social Security numbers and addresses of former attorney general John D. Ashcroft, former homeland security secretary Tom Ridge, executives of Westlaw and others.

They tried President Bush, Schumer said, but his address came up as 1400 Pennsylvania Ave., instead of the White House’s address of 1600 Pennsylvania Ave.

“Westlaw’s service could be entitled ‘Identity Theft for Dummies,'” Schumer said. “To my mind, what bank robbery was to the Depression era, identity theft is to the information age. Everyone’s susceptible.”

In a written statement, Thomson West, the firm that operates Westlaw, said it shares Schumer’s concerns about privacy and identity theft. But the company denied the senator’s claims that it has been unresponsive to his inquiries.

Researchers at The Washington Post, a Westlaw subscriber, sought to replicate Schumer’s exercise and found that only the first five digits of an individual’s Social Security number were displayed.

But a Schumer spokesman said that a researcher at a major corporation not involved in credit checks or other investigations was able to get the complete numbers.

A spokesman for LexisNexis, a Westlaw competitor, said law-enforcement agencies, insurance and financial institutions can also get full Social Security data through LexisNexis’s service. But even if a potential customer is in the right industry, he said, they are screened to ensure they are legitimate.

Privacy experts say that in addition to raising questions about how well personal information is protected, the disclosures indicate an extreme overuse of Social Security numbers for identification.

“It has become the default identifier” for many commercial businesses, banks and Web sites, said Ari Schwartz, associate director of the Center for Democracy and Technology, a Washington group that studies digital rights and privacy issues.

When personal information is compromised, a Social Security number can be used as a tool for identity theft.

Many privacy advocates have urged businesses to create unique identification numbers for customers to use.

“The reliance on the Social Security number has created a false sense of security for businesses and a source of vulnerability for consumers,” Schwartz said.

© 2005 The Washington Post Company