TJX theft tops 45.6 million card numbers——TJX公司被盗取45600000卡号

 

TJX theft tops 45.6 million card numbers

TJX公司被盗取45600000卡号

Robert Lemos, SecurityFocus 2007-03-30

 

More than three months after detecting a breach of its systems, retail giant TJX Companies released this week its best guess at the number of customers whose credit-card information and other data were stolen by online thieves.

TJX公司经过3个月的系统漏洞探测分析，发现许多的客户信用卡和用户信息在互联网被盗。

Information from at least 45.6 million credit cards had been stolen by unknown attackers who had breached the company's computer transaction processing systems between July 2005 and mid-January 2007, TJX stated in its annual report filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday. It's a number that will only likely grow larger: The tally of 45.6 million credit-card accounts was calculated from data records for transactions processed between December 31, 2002 and November 23, 2003. Data files after November 2003 were deleted in the "ordinary course of business" but not before the records were likely stolen, TJX stated in its annual report.

TJX在星期三的年度报告上用了大段篇幅谈到业务安全问题（安全业务代理），目前还不知道是谁所为，从2005年7月到2007年1月中旬这个入侵者通过系统漏洞盗取了至少45600000个信用卡号。被盗取的信用卡号也许比公布的数字还要高。45600000这个数字是通过2002年12月31日到2003年11月23日的交易数字分析得出来的。

"To date, we have been able to identify only some of the information that we believe was stolen," the company stated in the report. "Deletions in the ordinary course of business prior to discovery of the Computer Intrusion and the technology used by the Intruder have, to date, made it impossible for us to determine much of the information we believe was stolen, and we believe that we may never be able to identify much of that information."

公司在报告中还说到：“到目前为止，我们仅仅能确认一部分的卡号已经被盗，公司幸好提前发现入侵，并发现了入侵者的入侵手段。到目前为止，我们不能确定具体盗取了多少信息。”

The breach is the largest known data theft to date, topping the 40 million credit-card numbers put at risk by a breach of CardSystems Solutions' processing systems in 2005 and leaving in the dust the 26.5 million personnel files stored on a laptop and external hard drive which were stolen from the home of an employee of the U.S. Department of Veterans Affairs. The laptop was later recovered.

这是目前由于系统漏洞的原因导致数据被盗的最大额度，多达40000000个信用卡由于信用卡系统的原因裸露在危险的地方。在2005年，存储有26500000个个人信息的硬盘被盗，原因是这个存储数据的硬盘被发现在一个职员的家里，之后这台笔记本的数据被删除。

The TJX breach became public in January when the company announced it had discovered that online attackers had compromised its network. Originally the company thought the first attack had occurred no earlier than May 2006, but in late February, announced that evidence pointed to intrusions as far back as July 2005. Banks have reissued a large number of credit-card accounts put at risk by the breach, and Florida law enforcement has stated that a ring of gift-card fraudsters had used the stolen numbers to buy more than $8 million in merchandise.

当公司在1月份公布发现入侵者入侵系统的时候，他们认为黑客可能是在2006年5月份入侵系统的，没有想到黑客早在2005年7月就入侵了系统。银行重新发布了大量的信用卡帐号，Florida（美国州名）州法律刚刚公布了一个法律关于用户卡被盗的法律。这个法律用于当卡被盗的时候，将承受高达8000000美元的罚款。

 

The company minimized such reports in its financial statement.

公司在这份报告中还涉及到减少财政状况。

"While we have been advised by law enforcement authorities that they are investigating fraudulent use of payment card information believed stolen from TJX, we do not know the extent of any fraudulent use of such information," the company said in its annual report. "Some banks and payment card companies have advised us that they have found what they consider to be preliminary evidence of possible fraudulent use of credit payment card information that may have been stolen from us, but they have not shared with us the details of their preliminary findings."

“当我们咨询相关法律专家后发现：是入侵者从TJX公司盗取用户卡信息的，我们不知道任何有关盗窃的过程和这些信息被盗取后的用途。“一些银行和信用卡公司建议我们给他们提供相关被盗信用卡信息以防止这些卡的信息被泄漏，但是他们没有反馈他们发现的问题。

company found that two of its computer networks had been breached. The online attackers compromised the company's systems in Framingham that process and archive transactions and returns from its stores in the U.S. and Puerto Rico as well as its Winners and HomeSense stores in Canda, the firm stated in its annual report. Attackers also breached "a portion of our computer systems" in Watford, U.K., that process and archive transactions from the company's T.K. Maxx stores in the United Kingdom and Ireland, TJX stated.

公司发现公司内部网络已经被入侵，入侵者从Framingham入侵系统，并且把一些文件传送到他们的机器中。黑客们也入侵了在U.K.“的部分系统”。他们从存储其中获取了一部分数据。

Only about a third of the credit-card accounts, about 15 million, are likely at risk because of the attacks, because the other two thirds of the credit-card numbers had expiration dates that had passed at the time the accounts were stolen, according to TJX's report. However, the company did not have information on the number of credit-card issuers that used the same numbers when extending the expiration date.

报告中还指出：大约有三分之一的信用卡，大约15000000个信用卡号由于入侵者的原因，他们正处于危险之中。另外的三分之二个卡号由于已经过期。然而，公司由于没有信用卡发行者的相关信息，导致当卡过期的时候，公司不能确定卡的有效期时间。

In addition, more than 450,000 names, addresses and personal ID numbers (in most cases, the person's Social Security number) were also taken from the servers, the company stated.

另外，多达450,000个名字，地址和个人ID号（个人社保卡卡号）将被泄漏，我们也把这些信息放在服务器上。

The latest details revealed by TJX's annual report could further worsen the company's financial situation, said Bruce Cundiff, senior analyst for Javelin Strategy and Research. The company has already recorded a pre-tax charge of $5 million to pay for expenses caused by the breach.

高级分析师Bruce Cundiff说道：在最近的TJX的年度报告中显示公司的财政状况，公司已经拿出5000000美元的投入专门用来解决系统漏洞的问题。

"The more news that comes out, the worse it seems for TJX," Cundiff said. "I don't think we have seen the punishment yet that the market is going to bring to bear due to customer dissatisfaction."

Cundiff说：“更多的信息显示，TJX的情况将会更糟，我们当然不想看到TJX公司变得更糟，但是由于客户的不满情绪，市场上已经对TJX的公司的信任度有所转移。“

In a survey that the analyst firm will release next week, Javelin found strong evidence that consumers are likely to vote with their feet. "They are really giving a strong indication that, if they know about a data breach--and TJX is really the most publicized to date--there is a strong chance they will never shop at that store again," Cundiff said.

下周将得出更详细的调查结果，Javelin发现TJX客户的一些情况：“他们的想法很明显：如果他们知道TJX的用户信息被盗——如果TJX宣布了这个消息——那么他们将不再去TJX的商店买东西了。”

 

The retail giant is besieged with consumer legal actions as well. According to the annual report, consumers have filed 12 lawsuits against the company in the U.S. and another six in Canada. A group of Massachusetts banks have filed a lawsuit for the cost of replacing consumers' credit cards and other damages, and the Arkansas Carpenters Pension Fund, which reportedly owns 4,500 shares of the company, has commenced proceedings to open up the company's books.

公司也承受着被消费者起诉的困扰。在年度报告中分析：在美国法律中，消费者可以通过12个法律条款来起诉他们，而在加拿大则有6项条款。在Massachusetts（美国州名）州的一些银行已经开始整理相关的法律文件来应对突发事件。据说，Arkansas Carpenters Pension基金公司则已经开始整理所属4500个用户的相关信息。

The U.S. Federal Trade Commission and a group of 30 states' Attorneys General have started separate investigations. The Office of the Privacy Commissioner of Canada has also initiated a formal investigation, TJX stated in its report.

在TJX的报告中指出：美国联邦商业委员会的30个国家的首席部长已经开始逐个调查他们所属系统情况。在加拿大的调查委员也已经展开了秘密调查。

The company has hired IBM and General Dynamics to help investigate and improve its security. In addition, the U.S. Secret Service is investigating the intrusions.

公司已经雇佣IBM和General Dynamics（国防承包商）公司来帮助他们完善和增强他们系统的安全性，最后由美国安全服务商来调查入侵者情况。