Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

More Thefts From TJX Breach

Retail giant out of compliance with PCI security requirements, according to Visa alert

More than 60 banks have reported compromises of customer accounts as a result of the recent security breach at retail giant TJX Companies, and that figure is expected to grow, according to the Massachusetts Bankers Association.

And in a separate report, Visa alerted financial institutions that TJX had violated the Payment Card Industry's Data Security Standard guidelines, which prohibit long-term storage of credit card data by retailers.

Less than half of the 205 banks in Mass. have reported their findings on the TJX breach, disclosed two weeks ago. (See TJX Breach Skewers Customers, Banks.) Most of the banks reporting in have seen unauthorized account activity on at least some of the credit cards exposed in the breach, according to the MBA.

The banks are still contacting TJX customers, and in some cases, are canceling customer accounts and re-issuing cards, according to Daniel Forte, CEO and president of the MBA. The number of banks affected is "likely to grow higher," the MBA says, as many of them haven't been able to report "because the situation is such a moving target."

Officials at TJX still aren't saying how the breach occurred, but according to an alert sent Jan. 15 via the Visa Compromised Account Management System, the retailer had stored credit card data dating back to 2003. PCI rules, which are set and enforced by the credit card companies, state that merchants cannot store data for long periods.

The banks are absorbing most of the punishment resulting from the breach. It is the banks, not TJX, which are reimbursing customers for the account thefts, and it is the banks, not TJX, which could be subject to fines for doing business with a merchant that does not comply with PCI.

The banks are responding by asking for swifter action by legislators and credit card companies to require swift disclosure of breaches among retail merchants. "By not disclosing which firm caused the breach, or quickly disclosing it, consumers are needlessly troubled," Forte says.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.