Stolen Data From T.J. Maxx Parent Company Surfaces In Florida Wal-Mart Fraud

Data stolen from TJX -- the parent company of T.J. Maxx and other retailers -- has surfaced in the Sunshine State, where it's been used to help thieves steal about $8 million in merchandise from Wal-Mart stores. The thieves used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to hit stores in 50 of Florida's 67 counties.

The Florida Department of Law Enforcement confirmed that the information used to make the fake credit cards was obtained as a result of the TJX data breach. Dominick Pape, the special agent in charge for the Florida Department of Law Enforcement, said he couldn't provide further details about how the TJX intrusion was committed or how the thieves got the stolen customer information used to make the fake credit cards because of the ongoing investigation into the breach that's taking place in Massachusetts, where TJX is based.

The fraud ring was uncovered after Wal-Mart employees became suspicious of certain shoppers who were using multiple gift cards -- many of them worth $400 -- to pay for their purchases. The $400 denomination was used because gift cards valued at $500 or more require the customer to provide some form of identification. "They knew enough to go through the area of least resistance," Pape says.

The Gainesville Police Department and Florida Department of Law Enforcement investigation began in November. After analysis of transaction records and video footage of the perpetrators, investigators arrested six suspects and issued warrants for the arrest of four more. Several of the suspects were identified as using stolen credit cards to purchase large quantities of gift cards and then buying computers, gaming devices, and big-screen televisions. Those arrested -- all living in Broward and Dade counties -- were charged with organized scheme to defraud, a first-degree felony.

TJX says the cyberintrusion that started the chain of events most likely took place starting July 2005. The company also believes that credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores from January 2003 through June 2004 -- excluding debit card transactions with cards issued by Canadian banks -- were compromised. Even worse, a number of documents sent by Visa to financial institutions that issue cards and manage Visa transactions indicate TJX was storing credit and debit card data in violation of the Payment Card Industry Data Security Standard created by Visa and MasterCard.

The trail from TJX to Wal-Mart to the big house highlights a disturbing trend in data theft that's only getting worse. In its most recent Internet Security Threat Report, released earlier this week, Symantec says it tracked the trade of stolen confidential information, including Social Security numbers, credit cards, personal identification numbers, and e-mail address lists. During the last six months of 2006, 51% of all known underground economy servers -- where this stolen information is traded -- in the world were located in the United States. U.S.-based credit cards with a card verification number were available for as much as $6, while a more fully complete identity, including a U.S. bank account, credit card, date of birth, and government-issued identification number, was available for up to $18.

Threats to confidential information made up 66% of the top 50 malicious code reported to Symantec, an increase over the 48% reported in the previous reporting period. Threats that could export user data, such as user names and passwords, accounted for 62% of threats to confidential information during the second half of 2006, up from 38% in the first half of the year.

The U.S. Federal Trade Commission earlier this month confirmed that it has launched an investigation of TJX. While the FTC wouldn't reveal the nature of the investigation or when it began, it's likely the result of this now infamous data breach.