The TJX data breach story keeps growing. I hope everyone can tell the difference between a false alarm data breach like the laptop theft at the VA that got so much attention and the Card Systems International breach and now the TJX incident. Thanks to California 1386 companies are required to devulge when personal data is lost or stolen, specifically data on California citizens. As most State Attorney Generals to not take kindly to the idea of a large company just notifying citizens of California most organizations now notify everybody when they become aware of a data breach. But lost data is not the same as data that is stolen for the purpose of financial gain.
You may recall CardSystems Solutions. That credit card processing company had to reveal the theft of 20 million credit cards after the slueths at Mastercard tracked down the source of a rash of reported fraud incidents. A hacker had broken in to the computers at CardSystems and found a repository of credit card data and stolen it. CardSystems never even noticed until they were approached by MasterCard. CardSystems went out of business in about three months after that incident.
Now we learn that the Secret Service (yes, the Secret Service is the law enforcement agency that is responsible for credit card crime) has nabbed a ring of crooks in Florida that were creating counterfeit credit cards from the TJX data and using them to purchase $400 gift cards that they would then use to buy merchandise at WalMart. This article says that the total take from this project was $8 million. Let's see, that is twenty thousand separate transactions! Even if there were ten people involved each one would have to go to a store and make a big gift card purchase 2,000 times! No wonder someone got suspicious. It really makes you wonder at the lack of controls or at least the lack of suspicious behavior alerts at most retail operations.
During the dot come boom I was setting up the operations of an online gift certificate fulfillment company (i-gift.com). We worked closely with the shopping centers whose gift certificates we sold. The magic number back then was $800. Crooks would go to the mall and purchase $800 gift certificates with stolen credit cards. And sure enough, within a week of launching our service we got orders for $800 gift certificates to be delivered to an address just south of 8 Mile Road in Detroit. After getting stung the first time we put a hold on every $800 transaction until we could investigate further. Stopped the problem.
Transaction behavior analysis and alerting is simple. I hope every retail organization in the world learns from this incident.