TJX is an example of a company that announced a breach. TJX owns well-known brands in the U.S. such as T.J. Maxx and Marshalls, and it has retail stores in Canada and Europe. TJX announced on January 17, 2007 that its computer systems had been hacked. The personal data that was compromised included customer information related to purchases and returns, and it contained credit and debit card numbers. The number of credit and debit card numbers compromised by the attackers is unknown, but estimates (and opinions) range from about 45 million to as many as 200 million cards. According to a TJX press release, TJX believes that its systems were intruded upon from as early as July 2005 until January 2007. Eighteen months was enough time for the attackers to thoroughly ransack the TJX computer network.
Some of the data that was stolen from TJX was used to commit crimes. Police in Florida arrested six people suspected of a fraud scheme that used the stolen credit card data. Unfortunately for TJX, one of the victims was Massachusetts Attorney General Martha Coakley, whose information was used to fraudulently purchase a Dell computer. That probably contributed to the early momentum of the investigation.
Over half of all Americans have been sent notices that their personal data may have been compromised in one of the many breaches that have been disclosed. This number seems low given the vast number of databases containing personal information, the rates of reported laptop theft, and how personal information is bought, sold, and traded. One effect of these â€œbreach noticesâ€ is that the sorry state of information security has become more visible, and people want to know why things are so bad.
Chapter 4 is devoted to breaches, so we wonâ€™t dwell on that topic here. Suffice it to say that security breaches can cause real pain to individuals whose personal data has been compromised, and one of the major causes of concern with such incidents is the threat of identity theft.
Identity and the Theft of Identity
Imitation is the sincerest form of flattery, but no one is flattered by having their good name and credit used for fraud. Such frauds include emptying your bank account, applying for credit, or getting medical care in your name. Personally identifying information such as your full name, national identity number, bank account details, and so on are valuable precisely because they can be used by someone else to impersonate you.