TJX Companies, Inc. "Unknown Amount of Records Breached"

Announced January 17, 2006
Computer Network Breach - "Unknown Amount of Records"

TJX Companies, Inc.
Retail (T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores)
Framingham, MA

Governing Privacy Law or Rule - PCI-DSS, State Laws, Federal Wire Fraud

FRAMINGHAM, Mass.--(BUSINESS WIRE)--The TJX Companies, Inc. (NYSE:TJX) today announced that it has suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions. While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known. This intrusion involves the portion of TJX’s computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland. The intrusion could also extend to TJX’s Bob’s Stores in the U.S. The Company immediately alerted law enforcement authorities of the crime and is working closely with them to help identify those responsible. TJX is also cooperating with credit and debit card issuers and providing them with information on the intrusion.

TJX is conducting a full investigation of the intrusion with the assistance of several leading computer security and incident response firms and is seeking to determine what customer information may have been compromised. The Company is committed to providing its customers with more information when it becomes available.

With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems. While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores.

Ben Cammarata, Chairman and Acting Chief Executive Officer of The TJX Companies, Inc., stated, “We are deeply concerned about this event and the difficulties it may cause our customers. Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems and we believe customers should feel safe shopping in our stores. Our first concern is the potential impact of this crime on our customers, and we strongly recommend that they carefully review their credit card and debit card statements and other account information for unauthorized use. We want to assure our customers that this issue has the highest priority at TJX.”

Important Information for Customers

• TJX has established a special helpline for its customers who have questions about this situation. Customers may reach the helpline toll-free at 866-484-6978 in the United States, 866-903-1408 in Canada, and 0800 77 90 15 in the United Kingdom and Ireland.
• TJX will also provide information for customers on its website, www.tjx.com, including tips on preventing credit and debit card fraud and other steps customers may take to protect their personal information.
• TJX strongly recommends that customers carefully review their account statements and immediately notify their credit or debit card company or bank if they suspect fraudulent use.

Actions Taken By TJX

• Upon discovery of the intrusion in mid-December, 2006, TJX immediately notified and began working closely with law enforcement authorities, including the United States Department of Justice and Secret Service and the Royal Canadian Mounted Police. The Company has coordinated its actions with these authorities and provided all assistance requested to seek to identify the criminals responsible for this incident. TJX maintained the confidentiality of this intrusion as requested by law enforcement.
• The Company immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades.
• TJX promptly notified and began working closely with the major credit card companies (American Express, Discover, MasterCard and VISA) and entities that process our customers' transactions. The Company has been providing them information including all requested credit and debit card information.

Information About the Intrusion

Through its investigation, TJX has learned the following with respect to the intrusion:

• An unauthorized intruder accessed TJX's computer systems that process and store information related to customer transactions for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and its Winners and HomeSense stores in Canada.
• The Company is concerned that the intrusion may extend to the computer systems that process and store information related to customer transactions for T.K. Maxx in the U.K. and Ireland, although TJX’s investigation has not yet been able to confirm any such intrusion. It is possible that the intrusion may extend to Bob's Stores.
• Portions of the information stored in the affected part of TJX’s network regarding credit and debit card sales transactions in TJX’s stores (excluding Bob’s Stores) in the U.S., Canada, and Puerto Rico during 2003, as well as such information for these stores for the period from mid-May through December, 2006 may have been accessed in the intrusion. TJX has provided the credit card companies and issuing banks with information on these and other transactions.
• To date, TJX has been able to specifically identify a limited number of credit card and debit card holders whose information was removed from its system and is providing this information to the credit card companies. In addition, TJX has been able to specifically identify a relatively small number of customer names with related drivers' license numbers that were also removed from its system, and TJX is contacting these individuals directly.
• TJX is continuing its investigation seeking to determine whether additional customer information may have been compromised. TJX does not know if it will be able to identify additional information of specific customers that may have been taken.

The Company does not yet have enough information to estimate the extent of the financial cost it will incur as a result of this situation, and does not expect to be able to quantify the estimated financial impact of this issue at the time TJX announces January 2007 sales.

The TJX Companies, Inc. is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide. The Company operates 826 T.J. Maxx, 751 Marshalls, 271 HomeGoods, and 162 A.J. Wright stores, as well as 36 Bob’s Stores, in the United States. In Canada, the Company operates 184 Winners and 68 HomeSense stores, and in Europe, 212 T.K. Maxx stores. TJX’s press releases and financial information are also available on the Internet at www.tjx.com.

Source: Business Wire

Commentary - Secure the Data Already - AGAIN!

Your private data is everywhere. Your identity is valuable and if it is compromised, the economic, emotional and even physical damage can almost never be reversed.

With every purchase you make online, every major purchase like a home or car, each account you open with a bank, broker or insurance agent, health care agency, doctor, or even when you apply for basic services such as telephone or power you are "required by these providers" to release information such as your name, address, social security number, phone number, date of birth, credit card numbers, spouse and children's names, dates of birth, and other private data that is unique to your identity. Most of this data is collected under the guise of verifying your identity or to fulfill some government mandate or industry guideline to validate their internal procedures. The question is, what happens with this data?

There are several US Government laws that regulate what can and cannot be done with certain types of personally identifiable information. Each of these laws have penalties for breaches of the requirements. The sad truth is that almost none of these laws are enforced even when a very public breach has occurred.

As an example, HIPAA (Health Insurance Portability and Accountability Act), a law that deals with the collection, maintenance and release of individual private health information established both criminal and civil penalties for the unlawful release of patient data. This legislation took effect in April 2003. The Office for Civil Rights (OCR) within the Department of Health and Human Services is charged with investigating and prosecuting complaints. As of March 2006, the OCR has received over 18,000 complaints regarding the unlawful release of individual patient data, they have yet to impose a single civil penalty. As of March 28, 2006, there have been only two criminal convictions under HIPAA. One was a Texas woman Liz Arlene Ramirez who was arrested after agreeing to sell the information of FBI agents to people whom she believed to be a drug trafficker and the other was a man in Seattle caught using patients information to fraudulently obtain credit cards. HIPAA, like most other laws dealing with privacy of financial transactions, banking, or other regulations designed to protect your data is quite literally NEVER enforced.

So, how can you secure YOUR data? iQBio has several industry leading products that can help any person, business or government agency secure and control local or portable data with multi-factor authentication and encryption. Secure the data already... enough is enough.

ClipBio Pro - 1GB or 2GB Portable Flash Memory with Fingerprint Security starting at $69.95

iQBioDrive - 100GB or 160GB Portable Hard Drive with Fingerprint Security starting at $219.95

Each of the above is cheap insurance. Protect your data...

Announced January, 17, 2007 - Fitchburg Savings Bank "1300+ Records Breached"

Network Computer Breach

Fitchburg Savings Bank
Business
Boston, MA

Governing Privacy Law or Rule - GLBA, State Laws

About 1,300 debit-ATM cards issued by Fitchburg Savings Bank were deactivated yesterday after the bank was told by Visa USA that a “large-scale data compromise” may have included its check cards.

None of the cards was used fraudulently and all are being replaced, said Martin F. Connors Jr., bank president and chief executive officer. “If someone has the person’s information, at this point they can’t do anything with it,” he said.

Mr. Connors said he was aware of at least one other financial institution in Worcester County with far more cards affected by the security breach. A broader problem was confirmed by the Massachusetts Bankers Association yesterday.

“It appears that Visa has notified a number of banks in Massachusetts that a large-scale retailer has had a problem with some of its customer data,” said Bruce E. Spitzer, an MBA spokesman. “Quite a few banks are replacing cards or notifying customers to be extra vigilant in monitoring their accounts. If a card needs to be reissued, the bank will do it.”

Another source indicated that the breach may be broader than Visa cards.

Mr. Connors said customers should receive new debit cards within a week. Cardholders may activate their new cards immediately by going to one of seven Fitchburg Savings Bank branches with proper personal identification and changing the PIN number on their new card. Or they can wait to receive a new pre-assigned PIN in the mail and follow the activation instructions, the bank said in a letter dated yesterday to customers.

Announced January, 17, 2007 - Diablo Municipal Water District "500 Records Breached"

Unencrypted Private Data - Stolen Computer Breach

Diablo Municipal Water District
Government Agency
San Marcos, CA

Governing Privacy Law or Rule - California Senate Bill SB1386

The credit-card numbers of about 500 customers in the Rincon del Diablo Municipal Water District were stolen yesterday in an early-morning break-in, officials said. Thieves smashed a glass wall at the district's offices on North Iris Lane and stole two computers, one from the customer services department and the other from engineering, said Darlene Lynn, interim general manager. Customers' names and credit-card numbers were contained in software on the customer services computer, but their Social Security numbers and birth dates were not on either computer, Lynn said. She said the number of stolen credit-card numbers could increase because officials are still determining the extent of information that was taken. No instances of credit-card numbers being used illegally have been reported, the district said, and police are investigating the burglary.

Announced January, 13, 2007 - North Carolina Dept of Revenue "30,000 Records Breached"

Portable Data Breach - Laptop Stolen w/ Unencrypted Data

NC Dept of Revenue
State Agency
Raleigh, NC

Governing Privacy Law or Rule - North Carolina Identity Theft Protection Act

A laptop computer containing files on 30,000 taxpayers was stolen from the car of an N.C. Department of Revenue employee last month, and state officials are cautioning everyone on the list to keep an eye on their finances for potential fraud. The Revenue Department this week dispatched letters to all 30,000 people, apparently the first such episode since the enactment of an N.C. law last fall requiring government agencies to notify consumers when their data are lost or stolen.

Announced January, 12, 2007 - MoneyGram Corporation "79,000 Records Breached"

Network Computer Breach

MoneyGram Corporation
Business
Minneapolis, MN

Governing Privacy Law or Rule - GLBA, State Laws

MoneyGram International Inc., a global payment services provider, announced Friday that a company server with consumer information for about 79,000 bill payment customers was unlawfully accessed over the Internet last month.

Announced January, 11, 2007 - University of Idaho "70,000+ Records Breached"

Unencrypted Private Data - Stolen Computer Breach

University of Idaho
Educational Institution
Boise, Idaho

Governing Privacy Law or Rule - State Laws

Three desktop computers have disappeared from the University of Idaho’s Advancement Services office – and now school officials say the personal data of alumni, donors, employees and students may be in danger. UI says someone stole the computers – and an internal investigation shows that as many as 70,000 social security numbers, names and addresses may be stored on the hard drives.

Announced January, 08, 2007 - Phillip Morris, Altria, Towers Perrin "30,000+ Records Breached"

Portable Data Breach - Laptop Stolen w/ Unencrypted Data

Phillip Morris
Altria
Towers Perrin Corporation
New York, NY

Governing Privacy Law or Rule - GLBA, State Laws

Philip Morris is warning thousands of local workers their personal information may have been accessed. The company began alerting employees this week that laptop computers have been stolen that included names, salaries and social security numbers of employees. These laptops were taken from the offices of a New York City consulting firm that handles benefit programs for Philip Morris.

Announced January, 08, 2007 - Notre Dame "Hundreds of Records Breached"

Unencrypted Private Data - Stolen Computer Breach

Notre Dame
Educational
South Bend, Indiana

Governing Privacy Law or Rule - State Laws

Notre Dame employees recently received a letter in the mail that some of their personal information may have gotten into the wrong hands. A University Director's laptop was stolen before Christmas. On January 2nd university employees received the letter notifying them of the crime. They were told they may want to monitor activities on personal accounts because the computer was storing Social Security numbers and salary information.

Announced January, 05, 2007 - Selma NC Fire Dept "250+ Records Breached"

Unencrypted Private Data - Stolen Computer Breach

Selma NC Fire Dept
State Agency
Selma, NC

Governing Privacy Law or Rule - State Laws

SELMA, NC -- A stolen laptop in Johnston County has firemen on alert for identity theft. The computer contained the names and social security numbers of volunteer firemen in Selma.

Announced January, 04, 2007 - Emory Healthcare, Geisinger HC, Williamson Med Ctr, Electronic Registry Systems, Inc. "50,000+ Records Breached"

Unencrypted Private Data - Stolen Computer Breach
Emory Healthcare
Geisinger HC
Williamson Med Center
Electronic Registry Systems, Inc.
Other "John Doe" Health Care Corporations
Multiple Locations in 5 States

Governing Privacy Law or Rule - HIPAA, State Laws

The theft of a computer from the office of an Ohio-based health care contractor on Nov. 23 has exposed sensitive data belonging to tens of thousands of patients in five health care firms across five states. The compromised data includes the names, addresses, medical record numbers, diagnoses, treatment information and Social Security numbers of the patients. Among those affected are patients at Atlanta-based Emory Healthcare, Danville, Pa.-based Geisinger Health System and Franklin, Tenn.-based Williamson Medical Center. The names of two other health care providers affected by the burglary at Cincinnati-based Electronic Registry Systems Inc. (ERS) have not yet been released.

Announced January, 03, 2007 - Wisconsin State Dept of Revenue "171,000 Records Breached"

Printing & Distribution Error
Wisconsin State Dept of Revenue
State Agency
Milwaukee, WI

Governing Privacy Law or Rule - State Laws

MILWAUKEE The State Department of Revenue today is urging taxpayers to contact credit bureaus to guard against identity theft after acknowledging late last week that Social Security numbers for 171-thousand taxpayers inadvertently ended up on mailing labels.

Announced January, 03, 2007 - KeyCorp "9,300 Records Breached"

Portable Data Breach - Laptop Stolen w/ Unencrypted Data
KeyCorp
Banking Corporation
Akron, OH

Governing Privacy Law or Rule - GLBA, FCRA, State Laws

KeyCorp has notified customers in Ohio and other states that private information about them was taken when a laptop computer was stolen from an outside vendor. Officials say the information on 9,300 customers may include Social Security Numbers. Corporate communications for the Cleveland-based bank say affected customers were notified by mail.

Announced January, 03, 2007 - Academic Magnet High School "Hundreds of Records Breached"

Portable Data Breach - Laptop Stolen w/ Unencrypted Data
Academic Magnet High School
State Agency
Education
N Charleston, SC

Governing Privacy Law or Rule - State Laws

North Charleston police are trying to find out who stole a laptop computer from Academic Magnet High School. That computer contains personal information about hundreds of students. This theft is actually the third time someone has stolen computers from this school. November 17th-- someone stole a desktop computer from a guidance counselor’s office.

Announced January, 03, 2007 - Century Motors "Hundreds of Records Breached"

Printing, Archiving & Secure Document Destruction & Improper Disposition of Private Information
Century Motors
Business
Austin Texas

Governing Privacy Law or Rule - FCRA, PCI-DSS

All types of personal information from bank accounts to Social Security numbers were scattered along a busy Austin intersection. That mess was found Wednesday morning along a stretch of Burnet Road in Central Austin. It all started at the Century Motor Car lot. Documents were strewn all across the road. The papers contained personal information like Social Security numbers, home addresses, phone numbers, references and job information. The owner of the car lot says they are in the process of moving from one building to another. The box of information was mistakenly put in the trash.

Announced January, 02, 2007 - First Interstate Mortgage "Hundreds to Thousands of Records Breached"

Printing, Archiving & Secure Document Destruction & Improper Disposition of Private Information
First Interstate Mortgage & Realty Corporation
Las Vegas, NV

Governing Privacy Laws or Rules - GLBA, Nevada SB347, FHA Guidelines, FNMA Rules

Documents containing people's names, social security numbers and other personal data were overflowing from a dumpster from a local Real Estate and Mortgage Company.

First Interstate Realty and Mortgage were found to have hundreds of documents that should have been destroyed simply placed outside their dumpster.

Announced January, 01, 2007 - University of NM "Hundreds of Records Breached"

Government Agency - Education
Unencrypted Private Data - Stolen Computer Breach
"Hundreds of Records" Affected

At least three computers and four monitors were stolen from the associate provost's office overnight between Jan. 2 and 3, said Lt. Pat Davis, UNM Police spokesman. The computers may have contained faculty members' names and Social Security numbers, said Richard Holder, associate provost.

Breaches of Personal Data

One in three Americans the potential victim of Identity Theft in 2006. Now we are continuing to chronicle the breaches as they happen in 2007. Most all of these breaches involve the transport of portable unencrypted data being compromised through neglect, theft or outright stupidity on the part of the stewards of the data. Don't be a victim. Don't have to be the one that explains to your boss, your clients or worse even yet, a judge or jury that you did not take proper and adequate measures to protect valuable data with which you are entrusted.

ASG's ClipBio Pro and iQBioDrive provide encrypted fingerprint security for the safe storage and transport of private data. Our unique line of PC Peripherals and Client/Server security software allow system administrators to encrypt and store data using multi-factor authentication.