The Boston Globe is reporting that the number of credit and debit card numbers stolen from TJX by hackers is now estimated to be at least 45.7 million, making it the largest breach reported to date of personal data stolen from one company. The card numbers were stolen over several years. From the story:
TJX, the Framingham discounter that operates the T.J. Maxx and Marshalls clothing chains, also reported in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers' license numbers. "It's the biggest card heist ever," said Avivah Litan, vice president of Gartner Inc. "This was obviously done over a long period of time, in many locations. It's done considerable damage."
Litan is a little off in her statement. What she should have said is that it's only the largest breach that we're aware of. It's only been in the last couple of years that companies have had to report these breaches to customers whose data was stolen. But as I reported in a recent three-part series on cybercrime for Wired News, the breaches were occurring long before laws passed requiring companies to report them. And many breaches are never discovered by the victim companies. You can read the cybercrime series here about the criminals behind the breaches and how their syndicates work:
Part I: I Was a Cybercrook for the FBI
Part II: Tightening the Net
Part III: Crime Boards Come Crashing Down
Sidebar: Tracking the Russians