Sunday, September 23, 2007

TJX class action settlement only addresses about one percent of the total people compromised

Friday evening, MarketWatch announced that TJX -- who suffered a data breach compromising over 45 million of their customers --has agreed to settle the class action lawsuits that were filed against them after the data breach was disclosed.

The class action lawsuits referred to were filed in both the United States and Canada.

Since most of the financial losses have been incurred by financial institutions -- who had to reissue the compromised cards and settle the fraud claims -- this settlement appears to primarily address the customers compromised by the breach of TJX's refund database.

This would amount to about 455,000 people, or one percent of the total number of people compromised.

Another issue that is still pending is how information is stored, and who will be responsible for paying for the administrative costs arising from data breaches in the future. Consumers Union is pushing that one of these bills, already passed in California, be signed into law. Minnesota has already passed legislation that addresses this.

MarketWatch reports:
Under the settlement, which is subject to court approval, TJX will offer three years of credit monitoring and identity theft insurance to customers who returned merchandise without a receipt and to whom the company sent letters reporting that their driver's licenses or other identifying information may have been compromised.

TJX will also reimburse the customers for documented costs of certain license replacements and certain losses from identity theft if identification numbers compromised were the same as their Social Security numbers.

The company will hold a one-time three-day customer appreciation event, in 2008 or later, at which prices will be reduced by 15%.
One thing that concerns me is that the settlement offer states that one of the requirements to receive compensation will be that the identification number compromised has to match their Social Security number.

I guess that TJX and their affiliates don't want to address the rising phenomenon of synthetic identity theft? When synthetic identity theft is committed different parts of a persons identity are crafted to create a new one.

Stephen Coggeshell of ID Analytics was recently quoted as saying:
Five years ago, this crime was hardly seen. Eighty-five to 90 percent of identity fraud is really this synthetic ID fraud, as opposed to the true name identity theft.
Just because the identity and the Social Security number were not compromised together doesn't assure that that the person involved will not become a victim.

This led me to wonder how many Social Security numbers could have been compromised? The answer was right on a FAQ sheet on the TJX site:
We do not receive or store customer social security numbers per se. However, the drivers' license or military ID numbers customers provide us in unreceipted merchandise return transactions are, in some cases and in some states, the same numbers as their social security numbers. We are writing directly to customers we were able to specifically identify whose drivers' license, military or state ID numbers, together with their names and addresses, were found in the information believed compromised and identifying where we believe those numbers may be social security numbers.

Laws have been passed that prohibit the practice of placing Social Security numbers on identification documents.

In the identity theft world -- which is what the concern about this data breach is all about, when a SSN or SIN (in Canada) is compromised -- the criminal compromising the information has all the information necessary to complete a full identity assumption.

In the dark world of Internet forums that sell this information, a complete identity (SSN, or SIN included) is often referred to as a "full." The complete information on a person is simply worth a little more money to the criminals purchasing it.

Retail criminals, who causes billions in losses a year, often refund the merchandise to launder the proceeds of their efforts into cash. This was the very reason -- most retailers implemented databases to track the information of people, who show up at refund desks -- a little too frequently.

With the increasing availability of fake identification and bogus financial instruments -- already being used at retailers to steal merchandise, with a focus on high-value items that are locked up -- it's likely that a lot of the information in these databases isn't completely accurate.

I would guess that the same people, using the bogus financial instruments, purchase the merchandise with them and then head to the refund counter.

So far as the TJX offer to settle this portion of their liability, it still has to be accepted by the court. Of even greater importance is that retailers need to take a hard look at how these refund databases are protected -- and -- whether or not, they are as effective in stopping refund fraud as they used to be.

For more information on the issue of using Social Security numbers on identification documents, the Privacy Rights Clearinghouse has a document, here.

The University of California submitted an interesting document to the Federal Trade Commission on the subject of synthetic identity theft, which can be seen, here.

Last, but not least, Tom Fragala at Truston put together a pretty neat blog post with a lot of references about synthetic identity theft, here.

1 comment:

Anonymous said...

Thanks for writing about this. I am studying the Univ of Calif. document you linked to. A very informative post.

I blog about my experiences as a typical consumer learning about ID theft, dealing with a prior employer's (IBM) data breach, and corporate responsibility:
I've Been Mugged. My first post explains why I gave my blog its name.

George