Running Total for 2007 as of February 12th - a minimum of


Individual Records Were Illegally Breached. The National Pandemic of Stupidity Continues... Are You on the List?

Monday, February 12, 2007

VA Data Breach is NATIONWIDE - VA UPdates to 1.85Million the Number of Lost "Records"

Just like last time, the information slowly trickles out about the breach at the Veterans Administration. Again, just as in the last case, they have made and will continue to make "revisions" to the amount of data that was actually lost. These revisions are always UP and involve new and shocking information with each release. The latest revision was released on a SUNDAY - yet again showing the VA's habit of releasing information on a holiday, weekend or at other times in an effort to "slide by" the media and the public.

When everything is said and done and they actually do find the hard drive in some black market stall, they will undeniably announce like they did last time that "the data has not been accessed" although we know this statement to be a lie since there is absolutely no way of knowing whether or not the data was accessed, copied or ghosted to another hard drive.

How about a full-blown press conference Mr. Nicholson - say at 2:00PM on a Wednesday - with 2 business days notice to the national and local press, full disclosure of all events and facts and a question & answer period at the end? I am sure you could find time in your schedule to enlighten the American people that pay your salary and actually fund the VA.

This UPdate pegged the number of VA Individuals that were affected was 535,000 (Not the 48,000 with only 20,000 records "unencrypted" as stated previously) and the real shocker this time is that there were additional NON-VA records of 1.3 million private Physicians although the VA states that only "some of the files contain personal information".

Whom and What to believe are the real questions here. The VA should know by now after 4 weeks exactly what information was on the hard drive and should disclose everything - not just feed us bit-by-bit hoping that no-one will put the information together.

VA Update on Missing Hard Drive in Birmingham, Ala

11 Feb 2007, 5:37 PM CST

WASHINGTON -- The Department of Veterans Affairs (VA) on Sunday issued an update on the information potentially contained on a missing government-owned, portable hard drive used by a VA employee at a Department facility in Birmingham, Ala.

“Our investigation into this incident continues, but I believe it is important to provide the public additional details as quickly as we can,” said Jim Nicholson, Secretary of Veterans Affairs. “I am concerned and will remain so until we have notified those potentially affected and get to the bottom of what happened.

“VA will continue working around the clock to determine every possible detail we can,” Nicholson said.

VA and VA’s Office of Inspector General have learned that data files the employee was working with may have included sensitive VA-related information on approximately 535,000 individuals. The investigation has also determined that information on approximately 1.3 million non-VA physicians — both living and deceased— could have been stored on the missing hard drive. It is believed though, that most of the physician information is readily available to the public. Some of the files, however, may contain sensitive information.

VA continues to examine data on the employee’s work computer. The employee has been placed on administrative leave pending the outcome of the investigation. VA has no information the data has been misused.

The non-VA physician data is used by VA to enhance the quality of care for veterans by analyzing and comparing information about the health care received from VA and non-VA providers.

Next week, VA will begin making notifications to individuals whose sensitive information may have been on the hard drive. VA is also making arrangements to provide one year of free credit monitoring to those whose information proves compromised.

“VA is unwavering in our resolve to bolster our data security measures,” Nicholson added. “We remain focused on doing everything that can be done to protect the personal information with which we are entrusted.”

On January 22, the employee, who works at the Birmingham (Ala.) VA Medical Center, reported the external hard drive was missing. On January 23, VA’s IG was notified. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA’s Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.

The OIG seized the employee’s work computer and began analyzing its contents. This analysis continues and VA IT staff has been providing technical support.

In addition to the ongoing criminal investigation, the OIG initiated an administrative investigation to determine how such an incident could occur.

VA is operating a call center that individuals can contact to get information about this incident. That toll-free number is 1-877-894-2600. The call center will operate every day from 7 a.m. to 9 p.m. CST as long as it is needed.

Monday, February 05, 2007

Update on Missing VA Hard Drive - The Plot Thickens...

It appears now that this "missing hard drive" was stolen from a VA FACILITY. This is in sharp contrast to last years missing-at-home scenario. This means that the drive walked out of a secure government facility with un-encrypted data on it.

Why was the data only partially encrypted? According to testimony before Congress by Director Jim Nicholson, ALL private data was to be encrypted on VA computers.

Why would the VA allow a "backup" from the employees computer when the data is only supposed to be on a secure VA Server?

There is an untold tale that will eventually surface regarding the rest of the story. We'll be waiting.

Update for Small Accountancy Firms and Tax Preparers - GLBA

Congress passed sweeping legislation in 1999 to require "financial institutions" to protect their customers data. While traditional tax preparers aren't considered financial institutions, they do collect and warehouse private financial data and ARE subject to this rule.

Even though you "think" it may not apply to you, read on... It very well might.

See below for information from the following publication:

In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act

Protecting the privacy of consumer information held by "financial institutions" is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.

Here's a brief look at the basic financial privacy requirements of the law.

Financial Institutions

The GLB Act applies to "financial institutions" - companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC's regulation applies only to companies that are "significantly engaged" in such financial activities.

The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.
CPAs Exempt from Gramm-Leach-Bliley Act Privacy Notification Requirement

Press Release from the AICPA, Washington, DC, October 13, 2006—The President today signed a bill that exempts certified public accountants from the Gramm-Leach-Bliley Act’s requirement that CPAs send their clients an annual privacy notice. The exemption is effective immediately.
Tax Preparers are however NOT currently exempt from the Security Rule of 15USC Sec. 6801 - which states:

(b) Financial institutions safeguards

In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards -

(1) to insure the security and confidentiality of customer records and information;

(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and

(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Thank you George Toft from for bringing this to our attention.

Thief Steals Tax Records for Identity Fraud

Announced February 3rd, 2007
Computer Data Theft - Data Breach - Unencrypted Data
Financial Data
800 Records

Governing Privacy Law or Rule - GLBA, State Laws

Reporter: Kari Huston -
Thief Steals Tax Records

Eight hundred people are in jeopardy of having their credit ruined, because thieves in the night stole their personal information from a Cassopolis tax preparer.

“I come around here and my computer is gone. My hard drive is gone. I went hysterical,” recalls Carlotta Kirstein. “I screamed,'I’ve been robbed!'"

Kirstein owns CTS tax service on Highway M-62. Since 1985 she has been preparing returns for clients in Cassopolis, Edwardsburg, Elkhart, Ohio, Virginia, Illinois and Washington.

She believes someone knew her computer possessed valuable information. “I had money in here. I had checks and nothing was taken, just the computer,” says Kirstein. “If it would only concern me, if it would only affect my life it would be fine, but this is 800 people's lives. That's kind of sad. All their information is on there, bank accounts routing numbers, birthdays, social security numbers, addresses, everything is on there.”

Between 1:00 a.m. and 3 a.m. a neighbor saw headlights in the CTS parking lot. Footprints in the snow lead police to believe that more than one person broke in the back door. “We're urging anyone who had an account with CTS to contact the credit bureaus and put a fraud alert on, as well as contact their banking institutions,” suggests Captain Lindon Parrish of the Cass County Sheriff’s Department.

“I'm putting flags on my accounts,” says CTS client Vicki Vaughn. “I have to change some of the accounts right now because they said they can not do it over the phone.”

Carlotta is offering a $5,000 reward to help catch the thieves. If those people are watching Carlotta would like to say, “Shame on you! How can you do this to somebody else? How can you do this?” And to anyone who may know who did this, “please come forward,” she pleads. “Please tell, too many lives depend on this.”

To report information that could lead to that reward call the Cass County Sheriff's Department at 269-445-1560. If you are a client of CTS and you'd like to report fraudulent activity on your accounts call 269-445-1244.

Saturday, February 03, 2007

Update on Veterans Affairs Hard Drive - The information is trickling out AGAIN.

Notice the timing of the Press Release

Hard drive that may contain personal data on veterans missing in Birmingham, Ala.

ASSOCIATED PRESS - 9:12 p.m. February 2, 2007

WASHINGTON – A portable hard drive that may contain the personal information of up to 48,000 veterans may have been stolen, the Department of Veterans Affairs and a lawmaker said Friday.

An employee at the VA medical center in Birmingham, Ala. reported the external hard drive missing on Jan. 22. The drive was used to back up information on the employee's office computer. It may have contained data from research projects, the department said.

The employee also said the hard drive may have had personal information on some veterans, although portions of the data were protected. Secretary of Veterans Affairs Jim Nicholson said that the VA and the FBI are investigating.

Rep. Spencer Bachus, R-Ala., said that the personal information of up to 48,000 veterans was on the hard drive and the records of up to 20,000 of them were not encrypted.

Pending results of the investigation, VA is planning to send individual notifications and to provide a year of free credit monitoring to anyone whose information is compromised.

Commentary -

Credit monitoring? Same old tired response to an epidemic of stupidity.
Secure the Data Already!

Commentary on VA Loss - Arrogance and Stupidity Redux

By James Childers
CEO Artemis Solutions Group
Intelligent Biometric Solutions, iQBio

February 3rd, 2006

Once again the pervasive culture of hubris, arrogance, recklessness and self-serving glad-handing at the United States Veterans Affairs Office has exposed the personal data of our fighting men and women through yet another act of stupidity regarding the protection of personal identifiable data to which they have been entrusted.

Twice within one week, the VA announced two separate breaches. One in Bremerton, WA involving raw files that were left in an employees car and one in Birmingham, AL involving yet another un-encrypted portable hard drive with personally identifiable data. What DATA? Who Authorized the transfer of this data to an un-encrypted insecure drive AGAIN? How much data is on the drive?

To be perfectly clear this is at least the FIFTH BREACH of portable data that has actually come to light from the VA in the last year.

The culture of carelessness with sensitive data appears to be alive and well at the VA. Again!

Let's take a quick look back at the controversy that erupted last year in May when ANOTHER un-encrypted portable hard drive was "lost" by an unnamed VA employee. Here are the particulars and the remarkable similarities to this current breach:

Like the breach last year, this data breach was not exposed for two weeks after it was known by the VA. The culture of denial and cover-up is alive and well at the VA.
  • “I will not tolerate inaction and poor judgment when it comes to protecting our veterans,” said Nicholson, declaring that he initially left it to VA investigators rather than calling the FBI.

    “I am outraged at the loss of this veterans’ data and the fact an employee would put it at risk by taking it home in violation of our policies,” he said in a statement to The Associated Press. “Upon notification, my first priority was to take all actions necessary to protect veterans from harm.” Actually... what he meant to say was upon notification his first priority was to try to mitigate the damage, minimize the impact and save his career. Everything else is window dressing.

  • This latest breach was reported to the department on January 23rd, and as you can guess, was not reported to the public until February 2nd, after 5:00PM on a Friday nearly two weeks later. News stories leaked on a Friday traditionally have much less impact than those reported during the week when the standard news outlets would normally devote much greater coverage to the reporting. This is especially true when the news is announced "after hours". The kicker in this report is that they announced it on Super Bowl Weekend, thus hoping to mitigate the effects even further while the countries attention is focused elsewhere. Distract, Evade and Mitigate Damage.

Like the breach last year, the theft of data was handled by the VA Inspector General, this time however they did bring in the FBI.

In his statements before Congress, the Secretary of Veterans Affairs, Jim Nicholson was severely rebuked for not turning this information over to the FBI immediately.

Just like last time Mr. Nicholson tauted his "resolve to be the leader in protecting personal information". This statement would be almost laughable if it wasn't such a serious threat to both personal liberty and national security.

In his statement last year:
  • "VA is revising its regulations, policies, guidelines and directives in the entire area of information technology and information security. This has been a wake up call to us, and we are working to assure that we have clear guidance for all VA employees in place, and that they are aware of what is required of them - and of the consequences, should they fail to adhere to that guidance. We are revising VA Directive 6500 which sets forth the guidelines for information security and the enforcement mechanisms pertaining to that. This is a fast track initiative, and I anticipate issuing the revised directive shortly.

    But I am convinced that, coming out of a very bad situation, we can make the VA a model for data security. I believe we can craft a structure that will be the Gold Standard for the government, much as the VA's vaunted electronic medical records and health care system are being held up as a standard to be emulated."
A year later:
  • "VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."
Same Song, Same Dance, Different Day ... The Potomac Two-Step. The VA is seriously delinquent in the formation and enforcement of their policies and then they try to pull the wool over the publics eyes by leaking information little-by-little in an effort to spin the damage.

The VA's own website states the following while they were trying to mitigate the public relations damage over the last breach:

Since the incident, all VA employees have received training in the proper handling of sensitive information and laptop computers throughout the department have had reliable data encryption programs installed.

This prose to please the proletariat is expected, but where is the BEEF? If this statement were true, and all relevant department policies were followed, why did we have the loss of the un-encrypted hard drive in Birmingham and the theft of RAW FILES in Bremerton, WA last week? You can encrypt the laptops, but if the data itself is not encrypted - what good does it do? There are some serious questions to answer at the leadership level in the VA.

Here are some relevant issues that were uncovered as a result of the the last data breach and the resulting cover-up:

James Nicholson's testimony before Congress in June 2006:
  • "As I stated in my testimony before both the House and Senate Committees on Veterans' Affairs last month, I am outraged at the theft of this data and the fact an employee would put it at risk by taking it home in violation of VA policies. I am also gravely concerned about the timing of the Department's response once the burglary became known." This time they again waited almost two weeks to inform the public. Evidently he wasn't outraged enough.

  • "I have initiated several actions to determine how to best strengthen our privacy and data security programs. On May 24, 2006, we launched the Data Security-Assessment and Strengthening of Controls program, a high priority, focused plan to strengthen our data privacy and security procedures. This program will minimize the risk of a re-occurrence of incidents similar to this recent breach, and seeks to remedy material weakness that could place sensitive information at risk.

    One existing Security Guideline, Security Guideline for Single-User Remote Access, describes appropriate security measures for mobile or fixed computers used to process, store, or transmit information or connect to VA IT systems when such computers are housed in an alternate work location. It identifies and recommends the minimally acceptable security controls when VA personnel use anything other than a direct connected, VA-controlled local area network (LAN) connection to perform VA information processing. Examples include people that are on travel, telecommuting or working from alternate work locations. This document requires that any data not stored on our systems be encrypted and password protected. If this is true and the policy was circumvented, these employees should be fired along with Mr. Nicholson.

Point ONE: Secretary Nicholson should be fired.

Point TWO: BOTH Employees that recklessly handled this data in violation of the above mentioned policies should be fired.

Point THREE: STRICT POLICIES of limiting access to ONLY individuals that have a need to use this information for the service of the VA Clients need to be implemented and enforced.

Point FOUR: ANYONE having access to individually identifiable data must undergo on-going security clearances. The data analyst in last years breach did not have the required on-going security clearance reviews. None. Ever.

Point FIVE: Encrypt and secure access to the data with reporting and tracking capability.

The VA has been lax in its stewardship, warehousing and use of the data with which they are entrusted. This unauthorized release of this data is a threat to both personal liberty and national security. Look at our previous blog on this last year for clarification of this issue and the evasion, deception and progressive clarifications by the VA.

The VA implemented Directive 6500 on August 4th, 2006 which requires Department-wide compliance with the Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549. This directive specifically requires the implementation of best practices with regard to data integrity and transparency when data is breached. Have we seen the last of the "updates" from the VA? We'll be watching and waiting for the other shoe to drop. How about a different message - SECURE THE DATA ALREADY?

Missing Veterans Affairs hard drive sparks identity theft fears

Announced February 2nd, 2007
Portable Hard Drive Theft - Portable Data Breach - Unencrypted Data
Medical Data and Personal Identifying Data
48,000+ Records

Veterans (Current and Former?) Data Stolen AGAIN!???

Governing Privacy Law or Rule - HIPAA,
Federal Information Security Management Act of 2002, 44 U.S.C. §§ 3541-3549, State Laws

Feb 2, 2007

WASHINGTON (Feb. 2, 2007) -- The Department of Veterans Affairs (VA) today announced that an employee reported a government-owned, portable hard drive used by the employee at a Department facility in Birmingham, Ala. and potentially containing personal information about some veterans is missing and may have been stolen.

"I am concerned about this report," said Jim Nicholson, Secretary of Veterans Affairs. "VA's Office of Inspector General and the FBI are conducting a thorough investigation into this incident. VA's Office of Information and Technology is conducting a separate review. We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved."

On January 22, the employee at the Birmingham VA Medical Center reported that an external hard drive was missing. The hard drive was used to back up information contained on the employee's office computer, and may have contained data from research projects the employee was involved in. The employee also indicated the hard drive may have contained personal identifying information on some veterans, but asserts that portions of the data were protected. Investigators are still working to determine the scope of the information potentially involved.

On January 23, VA's IG was notified the external hard drive was missing. The OIG opened a criminal investigation, sent special agents to the medical center, and notified the FBI. VA's Office of Information & Technology in Washington, D.C. also dispatched an incident response team to investigate.

The OIG has seized the employee's work computer and is in the process of analyzing its contents. VA IT staff is providing technical support in this effort. Analyzing the work computer may help investigators determine the nature of the information the hard drive potentially contained.

Pending results of the investigation, VA is prepared to send individual notifications and provide one year of free credit monitoring to those whose information proves compromised.

In addition to the ongoing criminal investigation, the OIG has initiated an administrative investigation to determine how such an incident could occur. VA will provide further updates as the investigation produces additional information.

"VA is unwavering in our resolve to be the leader in protecting personal information, and training and educating our employees in best practices in cyber and information security," said Nicholson. "We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans' personal information first is no easy task. I have committed VA to achieving such reform ? and we will. This unfortunate incident will not deter our efforts, but it underscores the complexity of the task we have undertaken."

Thursday, February 01, 2007

Workers Compensation Database Stolen - 1200 Records

Announced January 30th, 2007
Network Security Breach - Unencrypted Data
Workers comp data stolen
1,200 Records

Workers Compensation Database Stolen

A former state contractor allegedly accessed a workers' compensation database to steal personal information and fraudulently obtain credit, the Department of Industrial Accidents announced today.

The agency said up to 1,200 people who had submitted workers' compensation claims to the state -- and their Social Security numbers -- may have been compromised, although officials have evidence that only three people had their personal information used improperly.

The worker, who was not immediately identified, was fired, arrested and charged with identity fraud. Law enforcement officials notified the agency of the alleged breach.

"The DIA has taken swift action to inform the public and the 1,200 individuals potentially affected by this situation," the agency said in a statement. "DIA has sent written notifications directly to the potentially impacted claimants. In addition, DIA has posted information on its web site and established a telephone hotline to address claimant concerns."

The statement added: "All of us at the Department of Industrial Accidents deeply regret what happened. We take our public trust very seriously and we are taking immediate steps to ensure that this situation does not happen again."

The hotline number is 1-800-323-3249, ext. 560. (AP)
Posted by Boston Globe Business Team at 12:27 PM

TJX Hit with Second Class Action Lawsuit - FINALLY someone is being held accountable.

Bank files class-action lawsuit against retailer

WASHINGTON -- TJX has been hit with a second class-action lawsuit over the theft of customer credit card data by computer hackers.

The Boston Globe reports that Alabama-based AmeriFirst Bank filed the suit in U.S. District Court. The bank is seeking to recover the costs of replacing compromised credit cards and covering fraudulent purchases.

Other banks and financial institutions could join in the suit.

The Globe says the Massachusetts Credit Union League is also asking Framingham-based TJX to reimburse credit unions for the costs of reissuing credit cards.

A class-action lawsuit was filed earlier this week on behalf of consumers.

Meanwhile, Massachusetts Congressman Ed Markey has asked the Federal Trade Commission to investigate the security breach.

(Copyright 2007 by The Associated Press. All Rights Reserved.)

Vermont State Computer Breach - 70,000 Records Illegally Disclosed

Announced January 30th, 2007
Network Security Breach - Unencrypted Data
Vermont State Government
70,000 Records - Bank Records, Social Security Numbers, Personal Information

Governing Privacy Law or Rule - GLBA, State Laws

Vermont State was warned of potential computer security breach

(iQBio Commentary - "AN UNSECURED COMPUTER DIRECTLY ON THE INTERNET WITH SENSITIVE DATA?" This is the absolute pinnacle of stupidity. Anyone involved with this breach should be fired, sued and promptly run out of town.)

MONTPELIER, Vt. --A Microsoft security patch was downloaded but not installed on a state computer that hackers later broke into, gaining access to names, Social Security numbers and bank account information for nearly 70,000 people, an official confirmed Tuesday.

An internal state report on the hacking incident says Microsoft, a national computer security institute and "even the Department of Homeland Security all gave special priority to the application of this patch in order to fix the vulnerabilities ... that unauthorized attackers could gain control of a system."

The report goes on to say the patches released in August "were downloaded but never applied on this system."

The finding was contained in the report on an incident in which hackers broke into a computer that was set up to track the finances of noncustodial parents three or more months behind on child support payments.

Banks are required by federal law to provide quarterly reports on the finances of people who owe back child support. One of nine affected banks, New England Federal Credit Union, twice provided the information not just on child support deadbeats, but on nearly all of its roughly 59,000 members. The compromised computer contained that information, officials said.

The internal state report was chock full of technical information and computer terminology, but made repeated references to two things: worms, which are bits of computer programming that burrow into a computer; and Trojans, which allow someone from as far away as China to tell the computer to execute specific commands, including sending its data over the Internet.

As they announced the breach of the state Office of Child Support computer on Monday, state officials emphasized that the attacks appeared to have been launched automatically by hackers targeting hundreds or thousands of computers on the Internet, looking for vulnerabilities.

"It was an automated attack, which I think is critically important, and not a targeted attack by an individual," Human Services Secretary Cynthia LaWare said Monday.

The internal state report pointed to more direct personal involvement.

"Although it is not clear prior to September 12th whether or not this server was in the control of a human being (as opposed to merely being passively infected with worms containing Trojans) it is very likely following this date that the server was under the control of a person," the report says. The parenthetical phrase was contained in its text.

Thomas Murray, commissioner of the Department of Information and Innovation, said officials continued to believe that "somewhere somebody is launching this thing at hundreds of computers, but it's not Joe Hacker (getting) into a system and transmitting files."

Murray said officials do not believe the infectious programs were allowed to spread to other state computers; most are inside a "firewall" with sufficient security to have rebuffed any attacks. In fact, Murray said, technicians spotted the security breach in December when the viruses that had infected the child support computer began trying to spread to others on the system.

The state report says the first evidence of successful hacking came Aug. 18, 10 days after Microsoft issued its security patch. Initially, the report says, the state computer was "most likely compromised by an unknown autonomous worm exploiting a known vulnerability" -- the one described by Microsoft on Aug. 8.

Officials continued to say Tuesday that, while there was no evidence that sensitive personal data had been taken from the state computer, there also was no way to show that had not happened. The state was sending out letters to people whose information was compromised, said Heidi Tringe, spokeswoman for the Agency of Human Services.

"All of the affected individuals needed to be notified and provided suggestions on how they should protect themselves," Tringe said.

At New England Federal Credit Union, CEO David Bard said extra telephone call takers were being brought in to handle consumer inquiries. "Our focus is really on trying to provide resources to our members."

Meanwhile, a Norwich University computer security expert on Tuesday said it was "amazing" that the state had stored the sensitive data on a computer with such limited security protection.

"We haven't put unprotected computers directly on the Internet in this type of scenario for more than 10 years," said Peter Stephenson, a professor, computer security expert and senior scientist at Norwich's Applied Research Institute. "We're not talking about new technology here."


On the Net:

Veterans Administration Loses Data AGAIN - Undisclosed Records Lost

Announced January 22nd, 2007
Portable Data Breach - Stolen Laptop

Department of Veterans Affairs (AGAIN!)

January 22, 2007


A locked car that had folders of veterans' identifying information was burglarized late Wednesday in downtown Bremerton, according to the Bremerton Police Department and the Seattle office of the federal Department of Veteran's Affairs.

The government-owned vehicle was broken into at a parking garage at Burwell and Pacific, and four folders of veterans' information and a government cell phone were taken, the veterans' affairs office said.

Bremerton police are investigating the car theft and the veterans office "is taking aggressive steps to protect and assist those who may be potentially affected," according to a press release.

Letters are being sent to the veterans which include information about obtaining a free credit check.

"The director's office is also reviewing policies and procedures to ensure they were followed," the press release said, "and will make whatever changes may be necessary to bolster the safeguarding of veterans' private information."

(iQBio Commentary - What the hell happened to the NEW POLICIES and PROCEDURES that were supposedly implemented after last years 26.5 million record breach by the Dept of Veterans Affairs? Why will these agencies, corporations and arrogant fools never learn?)

Lawsuit filed against TJX - Company Director Resigns


FRAMINGHAM – A class action lawsuit was filed yesterday in U.S. District Court in Boston against the TJX Cos., the same day the discount retailer confronting a data breach disclosed the departure of a director and provided additional information about an ongoing investigation.

Two law firms, including Stern Shapiro Weissberg & Garin LLP of Boston, yesterday filed an 11-page complaint against the Framingham company, which announced earlier this month someone broke into its computer system last year and stole credit and debit card numbers.

The lawsuit, filed on behalf of Paula G. Mace of West Virginia, alleges TJX failed to maintain adequate computer data security, which resulted in the exposure of millions of customers’ personal financial information. The company’s actions put customers at risk for fraud and identity theft and other damages, according to the complaint.

The lawsuit was filed the same the day the company took a more public role in discussing the data breach, which TJX disclosed Jan. 17. The company also said yesterday that Gary L. Crittenden resigned as a director on Wednesday. Mr. Crittenden, who is also a director at Framingham-based Staples Inc., is executive vice president and chief financial officer at American Express Co.

TJX spokeswoman Sherry Lang could not be reached for comment. She told Bloomberg News the company doesn’t comment on director resignations.

In a video message and memo posted yesterday on the company’s Web site,, company officials said they waited a month to disclose the mid-December data breach to contain the problem and strengthen the company’s computer network.

TJX purchased a full-page advertisement in the Sunday Telegram and posted updated information on its Web site yesterday, including a 7-1/2 minute video from founder and Chairman Ben Cammarata.

“I regret any difficulties our customers may experience because of this incident,” Mr. Cammarata said while standing in an empty TJX store. “We want our customers to feel safe shopping in our stores and I really believe you are.”

The company said its investigation has determined that customer transactions at its Bob’s Stores were not involved in the data breach and that debit cards issued by Canadian banks also were not affected.

He said TJX has decided not to pay for any credit monitoring because such a service doesn’t detect fraud on debit or credit cards. He also said identity theft as a result of the data breach is unlikely because the vast majority of the stolen information did not include names or addresses. He reminded customers to be wary of potential scams as a result of the data breach. Customers should not provide any personal information about their bank accounts to anyone who might contact them by phone or e-mail, he said.

Contact business reporter Bob Keivra by e-mail at

Lawsuit Filed Against TJX

Consumers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright Bring Class Action Suit for Loss of Credit Card Data; Filed by Berger & Montague, PC and Stern Shapiro Weissberg & Garin, LLP

Posted on : Tue, 30 Jan 2007 01:24:01 GMT | Author : Berger & Montague, PC
News Category : PressRelease

PHILADELPHIA, Jan. 29 /PRNewswire/ -- On January 29, 2007, the law firms of Berger & Montague, PC () and Stern Shapiro Weissberg The complaint charges that TJX was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker. As a result of TJX's actions, customer information was stolen from TJX's computer network that handles a wide range of financial information for millions of customers, including credit cards, debit cards linked to checking accounts, and transactions for returned merchandise. Although TJX discovered the data breach in mid- December, 2006, it did not publicly announce the intrusion until one month later when it issued a press release on January 17, 2007. The delay harmed class members in that it prevented them from taking appropriate measures to protect their accounts.

While TJX continues to investigate the security breach, it has thus far determined that consumers who patronized TJX stores in 2003 and from mid-May through December 2006 may be affected. Because of TJX's actions, hundreds of thousands or even millions of its customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages.The law firm of Berger & Montague, PC consists of over 70 attorneys, all of whom represent plaintiffs in complex litigation. The Berger firm has extensive experience in consumer, securities, and antitrust class action litigation, and has played lead roles in major cases over the past 30 years, which have resulted in recoveries of several billion dollars for consumers and investors. The Stern Shapiro law firm has also been successfully involved in consumer and other class action litigation.If you have been affected by the loss of credit card or other financial data, and have any questions regarding this matter, please contact:Berger & Montague, PC

TJX security breach aftermath: a case study in what to do wrong

Retailer needs to disclose more information before it is forced to

Source - Network World

'Net Insider By Scott Bradner, Network World, 01/29/07

Late last week I wrote about what retailer TJX had done wrong leading up to its recent widely reported security lapse.This week's column is about what TJX has done wrong since the lapse was discovered.

In spite of full-page ads in the Boston Globe and Boston Herald in the last two days, the extent of the security lapse is still not known because TJX has steadfastly refused to provide any concrete information. The lack of information provides fertile ground for speculation -- for example, published reports last week that as many as 30% of all New Englanders may have been impacted. On Jan. 26, TJX announced it had hired John Gilbert, formerly with Dunkin' Donuts, as chief marketing officer. Maybe he is smart enough to understand that stonewalling is the worst possible reaction to a problem. Everything will come out in the end, and in this case it may come out with the president of TJX testifying on national TV in front of Congress. It is far better to provide more information than is being requested so it does not look like you are covering up.

Maybe TJX feels it cannot do this because it is covering up. Originally TJX maintained that it delayed making a public announcement at the request of law enforcement only to later admit the delay was in part a "business decision" and now, in the ads, the company says it was "in the best interest of our customers." Yeah -- the best interest of customers was to keep them in the dark until they finished their Christmas shopping. In the end, TJX only admitted to a problem after the first Wall Street Journal report.

TJX has still not said how many cards were exposed, yet some information must exist because banks are quite busy contacting their customers and replacing cards (including my wife's). At the very least, TJX could tell its customers -- the folks whose trust it has to retain in order to stay in business -- what TJX told the banks. Delaying will increase rather than decrease the pain when the numbers do come out.

Unlike most organizations that have had similar, although far smaller, breaches, TJX has not said it would protect customers by buying credit watch services for them. I expect the company will have to do so at some point but because it is delaying so long, it's clear that protecting customers has not been a concern for TJX and it will only do so when forced.

TJX has not admitted that it was not compliant with the PCI security standards nor has the company committed to becoming compliant in the new ads. Visa's security requirements say that merchants the scale of TJX had to be compliant with the security standards by Sept. 30, 2004. If Visa had any courage it would give TJX a short fixed period of time to become compliant (say, 30 days from the breach discovery) or be stopped from accepting Visa cards.

The PCI standard requires merchants to "limit storage amount and retention time [of cardholder data] to that which is required for business, legal, and/or regulatory purposes." TJX has not said it has or will destroy the data retained in excess of this standard.

In short, TJX has said squat of any consequence. It will continue to be raked over the coals for that. It would have been so easy to do what Johnson & Johnson did after the 1982 Tylenol deaths -- get in front of the issue and stay there. But TJX decided to hide its head in the sand instead -- a very poor decision, but a good case study in what not to do.

Disclaimer: I can only guess if the Harvard Business School will a develop a case study about TJX or what one would say, so the above review must be mine.

Salina Regional Health Center - 1,100 Patients

Announced January 24th, 2007
Portable Data Theft - Stolen Laptop
Salina Regional Health Center
1,100 Patients Personal Data and Medical History

Governing Privacy Law or Rule - HIPAA, State Laws

Patients' personal information threatened with computer theft
Some patients of SRHC could be at risk for identity theft

Salina Journal

A laptop computer containing the names, social security numbers and medical history of up to 1,100 patients is missing, putting them at risk for identity theft, and Salina Regional Health Center officials are offering a $2,000 reward for the laptop's return.

The hospital's computer was stolen along with a docking station, printer, overhead projector and other computer equipment, plus a small amount of prescription drugs, from the office of Veridian Behavioral Health, 501 S. Santa Fe., Suite 300, earlier this month.

Last week, those patients whose privacy was potentially compromised received letters from the hospital, notifying them to let their financial institutions know about the threat and to be on guard for false charges, Beth Vinson, the hospital's marketing supervisor, said Sunday.

Vinson wouldn't identify the laptop's authorized user for concern that publicly identifying him could further compromise patient privacy.

Manage Your Credit with Equifax

The reason the patient information was stored on the machine was because the user travels to different offices to treat patients. (iQBio Commentary - Visiting Nurses or Traveling Doctors are REQUIRED to have Encrypted Data on their Laptops and secure access with a high encryption password or biometrics according to the DSHS Standards. Why was this not done? This is a violation of a FEDERAL LAW - One that is almost never enforced)

"This person has different offices to go to, and this way when he traveled to different offices, he'd have that information available to him," Vinson said.

Vinson stressed that only patients treated by the laptop user would be at risk of having their identities stolen. At the time of the theft, the computer was shut off, and the patient information is double password protected (iQBio Commentary - most passwords are simple passwords - was this a "secure password or two simple unsecure passwords?) , she said.

"At this point, there's no information that any of the information has been breached," Vinson said.

Salina Police Department officials said Sunday that none of the missing property has been recovered, and there have been no arrests made in connection with the case.

Anyone with any information on the theft may call Salina police at 826-7210, or Crimestoppers at 825-TIPS.

The hospital has given those individuals potentially affected a phone number to call to speak with the hospital's privacy officer, Donna Vineyard, about any concerns. Vineyard directs the hospital's information management department, where medical records are stored.

"We've received about 15 calls. No one has had any problems yet," Vinson said. "But we wanted to make sure that every possible method was used, so no one is the victim of identity theft."

In the meantime, she said, the hospital's security policies on the use of laptop computers are being reviewed.

There have been laptop thefts from government offices and private companies nationwide in several high-profile cases in recent years. In December, for instance, Boeing officials reported a laptop stolen containing the names and Social Security numbers of 382,000 workers and retirees. The laptop was stolen when an employee left it unattended.

"As small as computer hard drives are now, anyone could take a hard drive and walk out of any office," Vinson said. "It's going to be a problem as long as technology improves and devices get smaller.

"We do regret it happened. We're just trying to do everything possible to make sure we find the laptop and deal with those responsible."

* Reporter David Clouston can be reached at 822-1403, or by e-mail at

Xerox Employees Data on Stolen Laptop - 297 Employees

Announced January 23rd, 2007
Xerox - Willsonville, OR
297 Employees Personal Data

Governing Privacy Law or Rule - HIPAA, State Laws

WILSONVILLE -- Some employees at a local Xerox plant are worried about identity theft at a laptop was stolen from a manager’s car.

The UniteHere Local 14Z Union said a computer containing employee’s personal information was stolen from a human resources manager’s car in August.

Letters were sent out to about 297 employees four months later, the union said. (4 months? Why did it take 4 months?)

Some of the employees affected said they experienced credit problems before they were informed of the theft, according to the union.

“One person had multiple cell phone accounts taken out in his name a month and a half after the theft,” said Brian Wood, Xerox employee.

“We did the right thing,” said Erin Isselmann, Xerox Spokeswoman.

Isselmann said the company wanted to investigate whether any personal information was on the laptop before informing employees.

“That was a process that took a very long time,” Isselmann said.

Xerox is offering all of those employees free credit protection for the next year.

( Drew Mikkelsen contributed to this report)

Greenville, SC School District - 1000 Teachers and 100,000 Students Records Breached

Announced January 20th, 2007
Greenville, SC School District
1000 Employees and 100,000 Students

School district leaves personnel records behind during renovations

Governing Privacy Law or Rule - State Laws

Associated Press

GREENVILLE, S.C. - Boxes of personnel records - including the Social Security numbers of thousands of teachers - were accidentally left behind by the Greenville County school district when it vacated its office for renovations, officials say.

The 10 boxes held lists of every teacher employed by the district between 1972 and 1990, as well as their Social Security numbers, district spokeswoman Oby Lyles said Friday. Several other boxes contained personnel records as recent as 1998, Lyles said.

"While it seems apparent the records were left behind because they were essentially hidden and inaccessible, the district is investigating to determine responsibility and will take appropriate action," he said.

There was no evidence the records had been duplicated, Lyles said.

District officials and police searched the empty building Thursday night after The Greenville News told the district it had received an anonymous call about the boxes, which had not been located during a walkthrough of the building before it was vacated, according to an incident report.

A rear door of the building was also found to be "unsecure, due to screws keeping the locking mechanism from locking the door," the report said.

District officials will question employees and workers at the site, Lyles said.

The finding comes just two months after it was discovered that the district had sold computers containing Social Security numbers and birthdates for roughly 100,000 students and at least 1,000 employees.

The two buyers never released the information found in computers they bought at a dozen school district auctions between 1999 and last March but decided to go public with their findings after the district ignored their warnings about the information, their attorney has said.

Last month, Circuit Judge Diane S. Goodstein ordered the men and their company, WH Group, to return the computers, saying both sides had agreed to let an independent computer expert document all of the data.

Information from: The Greenville News,

How to Make a Name for Your Company with Stupid Data Tricks

Announced January 18th, 2007
Data Breach UPDATE - TJX Companies
20+ Million Records Breached

Governing Privacy Law or Rule - PCI-DSS, State Laws, Federal Wire Fraud

How to make a name for your company - and do it real well!
  • Instruct Employees to Collect Unnecessary Sensitive
    Private Information - $ 10 per hour
  • Store Sensitive Customer Data on an Un-Encrypted
    PC - $ 700.00
  • Hole in Firewall for Hacker - $ FREE
  • Realizing through news reports that the ATTORNEY
    GENERAL of your home state is a victim of your
    stupidity - PRICELESS
Now, go explain to your shareholders, Board of Directors and the Authorities how and why you authorized this stupidity...

Attorney General Coakley victim of identity theft

Attorney General Coakley victim of identity theft

BOSTON -- New Massachusetts Attorney General Martha Coakley admits to an identity crisis of sorts.

She says she's the victim of identity theft and she is taking the security breach personally.

Framingham-based retailer TJX is the latest company to have had its customer information compromised.

Potential victims number in the millions.

The thief used Coakley's information to buy a Dell computer.

Coakley says the system needs improving.

The customer data was hacked from a TJX computer system in mid-December.

If you think your private information may have been stolen, call the TJX help line.

The number is 1-866-484-6978.

Massachusetts Bankers Association Responds to TJX Companies Data Breach - Confirmed over 20 Million Individual Records Breached

Announced January 18th, 2007
Data Breach UPDATE - TJX Companies
20+ Million Records Breached

--Editors Note--

The actual depth and breadth of the TJX breach is now becoming fully known - piecemeal. While TJX appeared to have been claiming it was a victim in this breach, they understated the impact of the breach and purposefully understated their culpability in this breach. Updates from some media sources put the breach from TJX at over 20 million victims. Data that was illegally released includes credit card numbers, CVV Codes, drivers license numbers, address and phone numbers of customers. This information is specifically prohibited from being collected and stored in the manner in which it was archived at TJX by PCI-DSS (the Payment Card Industry - Data Security Standard). The collection and illegal dissemination of drivers license, and other individual identifiable data with these records may expose TJX to additional liability through civil and criminal penalties, lawsuits, and other punative measures. Why in the hell was TJX archiving the full contact records and credit card information for over 20 million people in the first place and what were they thinking by storing it on an un-encrypted computer on their network? The full depth and breadth of the stupidity involved in this breach is leaking bit-by-bit to the media. What is even more frightening is that the information stolen from TJX is now VERIFIED as being used by Identity Thieves and the sheer numbers of potential victims is staggering. We will have further updates as they are available on what could be the single largest commercial breach of all time with verified identity theft.
--James Childers--

Massachusetts Bankers Association Responds to TJX Companies Data Breach

Governing Privacy Law or Rule - PCI-DSS, State Laws, Federal Wire Fraud

BOSTON--(BUSINESS WIRE)--The Massachusetts Bankers Association:

  • MasterCard now Reporting Data Breaches to Banks
  • Thus far, 28 Massachusetts Banks Report Compromised Cards
  • Work of MBA Task Force is Underscored
  • Has TJX been “Victimized?”
  • Advice for Cardholders
The Massachusetts Bankers Association (MBA) said today that in addition to VISA USA, now MasterCard is contacting Massachusetts banks to report that some of their customers’ personal banking information may have been compromised due to the data breach reported by TJX Companies yesterday. Bay State banks are acting quickly to protect customers who have been red-flagged by the two card associations after doing business with TJX stores including TJMaxx, Marshalls, Winners, HomeGoods, TKMaxx, AJWright, and HomeSense.

After surveying its banks, the MBA is reporting that thus far 28 banks have been contacted by the card associations indicating that some of their card holders have had personal information that may have been exposed due to the TJX data breach. The MBA is cautioning, however, that the number is likely to grow higher as, thus far, only 48 out of 205 banks in Massachusetts have reported in to the Association.

In addition, the MBA is questioning the TJX’s self-characterization as being “victimized” by the intrusion in a news release issued yesterday by the retailer.

Daniel J. Forte, CEO and president of the MBA said, “We think it’s a little odd that they would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary.”

Retailers, upon processing a debit or credit card purchase -- that is, verifying that the information on a card is correct, and that customers have money or credit in their accounts -- are prohibited by card network rules from retaining that information. “After the transaction clears,” said Forte, “there is no reason to store any data.”

TJX has not indicated what data it routinely captures, but the range of problematic data includes account numbers, expiration dates, personal identification numbers, and other verification information. “The company did indicate,” said Forte, “that driver’s license information may have been captured and exposed.”

Two years ago, after a data breach that occurred at BJ’s Wholesales Club, the MBA established the New England Debit Card Task Force. The group, consisting of the banking trade associations from the New England states, individual community bankers, representatives from the American Bankers Association, the America’s Community Bankers, the Independent Community Bankers of America, and the California Bankers Association, has been meeting frequently to address this very issue and develop ways to moderate fraud.

The task force has worked closely with Visa and Mastercard, engaging in dialogue centered on protecting consumers and seeking to moderate the impact and the costs that banks must bear when such data breaches occur.

“Visa and MasterCard have both been increasing fines and penalties for retailers when violations such as this are uncovered,” said Forte.

Get Equifax Credit Watch

“Moreover, in Massachusetts,” added Forte, “through the work of the Debit Card Task Force, we have been leading an effort to manage the impact of fraud on consumers and our banks when it occurs due to a retailer’s data breach. We are strongly supporting recent legislation in Massachusetts that would place the liability for the expenses that banks must bear in the hands of the retailers at fault. We hope that long term, this approach would be the motivation that retailers need to enhance the security of their systems and protect consumers, as well as your local bank. While expensive for all banks, Ninety-five percent of the banks in Massachusetts are community banks, and these costs can be particularly tough for smaller banks and credit unions to absorb.”

Forte explained that when a bank must issue new cards due to a retailer’s data breach, it can add up to a significant expense considering that thousands of cards could be involved. “MasterCard, and now Visa, has in place a process for banks to make claims for the cost of re-issuing cards,” he said, “however, there is no guarantee that the full amount will be reimbursed. Additionally, there is the fraud issue. If a fraud does take place, MasterCard and Visa have a zero liability policy in place for the benefit of consumers, which is good. However, the cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules resulting in fraud. Does this make sense?”

Forte added, “Bottom line, we believe it is critical that the card associations – Visa, MasterCard, etc. – and public officials carefully evaluate whether retailers should be held liable for a data breach, particularly when the information being stored is in violation of card network rules.”

The New England Debit Card Task Force, following the breach involving BJ’s Wholesale Club, began advocating a number of steps to enhance security. Its major recommendations include:

1) Notification – Giving banks the ability to notify customers on a timely basis;

2) Liability for the Fraud – Retailers should be held accountable, at present banks absorb the cost;

3) Full Reimbursement for card re-issue – This cost if not fully covered can be significant for banks;

4) Stronger Encryption Standards and Data Capture Limits – a must to protect consumers.

Although the MBA expects the number of banks and exposed cardholders in the TJX incident to rise, the MBA is telling customers not to worry. “You may not be in the affected group,” said Forte. “There is no reason to contact your bank. It will reach out to you if there is a problem. This is a situation that was not caused by your bank but you should know, if your information was exposed, we are working hard on your behalf. If you are notified that you are in the impacted group, remember just because your data was exposed, fraud may not occur. Nonetheless, it’s a good idea to check your statements and balances regularly, and order a credit report which you can receive free of charge once a year.”

The Massachusetts Bankers Association represents 205 commercial, savings and co-operative banks and savings and loan institutions in Massachusetts and elsewhere in New England.

Massachusetts Bankers Association, Inc.
73 Tremont Street, Suite 306
Boston, MA 02108-3906
Tel: 617-523-7595 / Fax: 617-523-6373

CIBC Asset Management - 470,000 Records Breached

Announced January 18th, 2007
Computer Theft

CIBC Subsidiary - Talvest Mutual Funds
Montreal, Quebec

Governing Privacy Law or Rule - Provincial and Canadian Government Privacy Laws

Globe and Mail Update

The personal information of nearly half-a-million customers at a CIBC mutual fund subsidiary has gone missing, prompting fears of a potential security breach and inciting an investigation from Canada's federal privacy commissioner.

A backup computer file containing application data for 470,000 investors at Montreal-based Talvest Mutual Funds disappeared in transit on the way to Toronto recently, the bank said in a news release Thursday.

The file contained everything from client names and addresses to signatures, birth dates, bank account numbers and Social Insurance Numbers. Officials at CIBC Asset Management Inc., a division of the Canadian Imperial Bank of Commerce, said there is no evidence of fraud, nor is there any indication that any data on this hard drive has been accessed. The company did not explain how it lost the drive.

Privacy Commissioner Jennifer Stoddart, who launched a probe of CIBC following a faxing snafu two years ago, said she has determined there are grounds for another investigation in the Talvest matter, even though the bank brought the problem to her attention.

Although I appreciate that the bank notified us of this incident and that it is working cooperatively with my office, I am nevertheless deeply troubled, especially given the magnitude of this breach, which puts at risk the personal information of hundreds of thousands of Canadians, said Ms. Stoddart. My office is committed to carrying out a thorough investigation into this matter and to ensuring that preventive and corrective measures are put in place so that this does not reoccur.

The bank said it has taken immediate steps to rectify the problem, and
has written letters to affected customers. The vast majority of these are clients of Talvest, rather than CIBC, which bought the mutual fund company in 2001.
GoToMeeting - Online Meetings Made Easy

The bank has promised to compensate customers for any loss, and is allowing them to enroll in a free credit monitoring program that can alert them if someone is trying to use their information without proper authorization.

Although we have no evidence that the information contained in the backup file has been accessed in any way, we are acting out of an abundance of caution and want to assure our clients that we are taking all steps possible to address this matter, Steve Geist, president of CIBC Asset Management, said in a statement.

This is the second major security issue for Canadians in as many days. Wednesday, the U.S. retailer that owns discount chains Winners and HomeSense revealed it had been the victim of a massive computer hacking effort.

Sources told The Globe and Mail that the network break-in at TJX Cos. may have affected as many as 20-million Visa cards worldwide, and some estimates suggest as many as 2-million of these cards are Canadian. It's unclear how big that number will be for other card providers, like MasterCard, but the numbers suggest it could be one of the largest such breaches the country has ever seen, according to one person in the financial community. The RCMP is assisting U.S. authorities with that investigation.

The Talvest incident is another embarrassing episode on the privacy front for CIBC, which was at the centre of a faxing snafu in 2004. The bank sent errant faxes to a junkyard operator in West Virginia for three years, mistakenly divulging private customer information.

The junkyard operator eventually sued the bank for clogging his fax lines, and Canada's privacy commissioner launched an investigation. In a 2005 report, she expressed concern about a breakdown in privacy practices that could reflect a bigger problem in Canadian business.

Wednesday, January 17, 2007

TJX Companies, Inc. "Unknown Amount of Records Breached"

Announced January 17, 2006
Computer Network Breach - "Unknown Amount of Records"

TJX Companies, Inc.
Retail (T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores)
Framingham, MA

Governing Privacy Law or Rule - PCI-DSS, State Laws, Federal Wire Fraud

FRAMINGHAM, Mass.--(BUSINESS WIRE)--The TJX Companies, Inc. (NYSE:TJX) today announced that it has suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions. While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known. This intrusion involves the portion of TJXs computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could also extend to TJXs Bobs Stores in the U.S. The Company immediately alerted law enforcement authorities of the crime and is working closely with them to help identify those responsible. TJX is also cooperating with credit and debit card issuers and providing them with information on the intrusion.

TJX is conducting a full investigation of the intrusion with the assistance of several leading computer security and incident response firms and is seeking to determine what customer information may have been compromised. The Company is committed to providing its customers with more information when it becomes available.

With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores.

Ben Cammarata, Chairman and Acting Chief Executive Officer of The TJX Companies, Inc., stated, We are deeply concerned about this event and the difficulties it may cause our customers. Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems and we believe customers should feel safe shopping in our stores. Our first concern is the potential impact of this crime on our customers, and we strongly recommend that they carefully review their credit card and debit card statements and other account information for unauthorized use. We want to assure our customers that this issue has the highest priority at TJX.

Important Information for Customers
  • TJX has established a special helpline for its customers who have questions about this situation. Customers may reach the helpline toll-free at 866-484-6978 in the United States, 866-903-1408 in Canada, and 0800 77 90 15 in the United Kingdom and Ireland.
  • TJX will also provide information for customers on its website,, including tips on preventing credit and debit card fraud and other steps customers may take to protect their personal information.
  • TJX strongly recommends that customers carefully review their account statements and immediately notify their credit or debit card company or bank if they suspect fraudulent use.

Actions Taken By TJX

  • Upon discovery of the intrusion in mid-December, 2006, TJX immediately notified and began working closely with law enforcement authorities, including the United States Department of Justice and Secret Service and the Royal Canadian Mounted Police. The Company has coordinated its actions with these authorities and provided all assistance requested to seek to identify the criminals responsible for this incident. TJX maintained the confidentiality of this intrusion as requested by law enforcement.
  • The Company immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades.
  • TJX promptly notified and began working closely with the major credit card companies (American Express, Discover, MasterCard and VISA) and entities that process our customers' transactions. The Company has been providing them information including all requested credit and debit card information.

Information About the Intrusion

Through its investigation, TJX has learned the following with respect to the intrusion:

  • An unauthorized intruder accessed TJX's computer systems that process and store information related to customer transactions for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and its Winners and HomeSense stores in Canada.
  • The Company is concerned that the intrusion may extend to the computer systems that process and store information related to customer transactions for T.K. Maxx in the U.K. and Ireland, although TJXs investigation has not yet been able to confirm any such intrusion. It is possible that the intrusion may extend to Bob's Stores.
  • Portions of the information stored in the affected part of TJXs network regarding credit and debit card sales transactions in TJXs stores (excluding Bobs Stores) in the U.S., Canada, and Puerto Rico during 2003, as well as such information for these stores for the period from mid-May through December, 2006 may have been accessed in the intrusion. TJX has provided the credit card companies and issuing banks with information on these and other transactions.
  • To date, TJX has been able to specifically identify a limited number of credit card and debit card holders whose information was removed from its system and is providing this information to the credit card companies. In addition, TJX has been able to specifically identify a relatively small number of customer names with related drivers' license numbers that were also removed from its system, and TJX is contacting these individuals directly.
  • TJX is continuing its investigation seeking to determine whether additional customer information may have been compromised. TJX does not know if it will be able to identify additional information of specific customers that may have been taken.
The Company does not yet have enough information to estimate the extent of the financial cost it will incur as a result of this situation, and does not expect to be able to quantify the estimated financial impact of this issue at the time TJX announces January 2007 sales.

The TJX Companies, Inc. is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide. The Company operates 826 T.J. Maxx, 751 Marshalls, 271 HomeGoods, and 162 A.J. Wright stores, as well as 36 Bobs Stores, in the United States. In Canada, the Company operates 184 Winners and 68 HomeSense stores, and in Europe, 212 T.K. Maxx stores. TJXs press releases and financial information are also available on the Internet at

Source: Business Wire