Saturday, November 03, 2007

Does anyone really know how much information was lost by TJX?

About a week ago, I saw that the amount of compromised records in the TJX data breach had doubled.

Interestingly enough, the allegation that the amount of compromised records had risen from 45 to 90 million wasn't brought forward by the folks at TJX. This new revelation was reported by the banking industry. They also reported at least $151 million in fraud losses have been associated with the breach.

This isn't the first time in recent history that the estimate of losses has risen dramatically. The Certegy breach jumped from 2.3 to 8.5 million records compromised. The media caught on to this increase as the result of a SEC filing.

Since this was part of ongoing civil case against TJX, the people revealing it have a powerful motivation to prove their point. TJX is still claiming that most of the information stolen was masked (hidden by asterisks), or had expired.

The $151 million in fraud losses startled me slightly since I had only seen one story about the information actually being used reported in the press. I'm referring to 6 people arrested in Florida, who went on a million dollar shopping spree and were later caught.

After doing a Google News Search, I was able to find one more story about a Ukrainian indivdual, who was caught in Turkey trying to sell some of the data.

In the Boston Globe story I read about this, both the card issuers and TJX dodged Ross Kerber's attempts to quantify some of the more recent estimates of loss being made.

I wonder if in data breaches, anyone really knows, or all the parties involved put out whatever version of the facts that suits their own interest in the matter?

The fact that some of the people investigating the TJX debacle have now doubled their estimate of the amount of records compromised lends credence to this theory. Of course, that depends on which version of the story you want to take as gospel.

It's unlikely the hackers (who might know the most accurate figure) will ever admit to it, either. Doing so, would incriminate themselves, and besides that, it probably isn't good for the business they are in. When a data breach is discovered, the fact that they have stolen the information is made public and it is (from their standpoint) compromised.

In fact, from the criminal's perspective (my speculation), the most profitable information they have is data no one knows they've stolen yet. I'd be curious to discover exactly when all this fraud occurred. Did it occur after the breach was made public, or before it?

Perhaps that is why very little of the information from data breaches seems to be used? Quite simply, it probably has little value to the criminal element, once everyone knows it's been compromised.

If you were a identity thief would you want to buy any of the information from the TJX data breach? The bottom line is that it would probably be dangerous to use, and it likely wouldn't even pass muster in most of the payment card authorization systems.

After all -- knowingly using it, would probably make them a statistic -- or one of the less than one-percent of identity thieves that get caught.

There is no doubt that there is a lot of personal and financial information being made available to criminals. Routinely, we see stories where the information is sold (e-commerce style) over the Internet.

The amount of known sources, where data has been stolen has gotten out of hand, also. The Privacy Rights Clearinghouse, Attrition.org and PogoWasRight all are making a valiant attempt to keep records of the known data breaches -- but with the lack of transparency in most of these data breaches -- it's unlikely they are going to be able to document the full scope of the problem,

There are probably many more data breaches out there that go unreported, or the entities who were breached have no idea that they occurred.

Until we start going after the source of the problem (the criminals), the problem of data breaches and identity theft will continue to grow. As we continue to bury our heads in the sand and minimize the problem, the criminals doing this will likely be laughing all the way to the bank!

Boston Globe article about the new statistics in the TJX breach (well-written), here.

No comments: