Evan Schuman's StorefrontBacktalk

Shortly after Heartland tried to sweep away most of the lawsuits against it with a series of recent negotiated settlements, a group of banks is trying to persuade other banks to reject the settlement offer and support a class-action lawsuit instead.

The lawsuit, filed Tuesday (Jan. 19), hit Heartland hard for its “lack of Payment Card processing system security; its desire to use a ‘lowest bidder’ system of selecting its outsourced IT ‘auditors’; its reliance on a ’snapshot’ telling it that, at one identifiable point in time, its system supposedly complied with the bare minimum industry standards; its startlingly poor IT oversight in general; and (Heartland’s) complete and utter disregard of the oversight responsibilities they had to their fellow members of the Associations that allowed the intruders to make trip after trip in and out of the Heartland Payment Card processing system.” The lawsuit also referenced Heartland’s initial response to the attack. “Thirteen months later, the ‘clean up’ efforts would be seen for what they were—worthless.” (Pause. But other than that, Mrs. Lincoln, how was the play?)

Years after it was breached by a member of Albert Gonzalez’s cyberthief gang, some 17 months after it’s name was quietly kept out of an indictment where it was referenced and five months after StorefrontBacktalk published its involvement, Target has confirmed that it was the victim of a data breach.

“Target was one of the companies affected by an intrusion that occurred two years ago. However, the exposure—both in time and number of accounts—was extremely limited,” said Target spokesperson Amy Reilly. “A previously planned security enhancement was already under way at the time the criminal activity against Target occurred and we believe that, at most, only a tiny fraction of guest credit and debit card data used at our stores may have been involved.”

Accused cyberthief ringleader Albert Gonzalez may not have had the “capacity to knowingly evaluate the wrongfulness of his actions and consciously behave lawfully and avoid crime” and his criminal “behavior was consistent with the description of Asperger’s disorder,” according to a government filing on Tuesday (Dec. 15), which itself quoted from a defense psychologist report.

The government was asking a federal judge for more time to investigate before a sentencing hearing, said the memo from Assistant U.S. Attorneys Stephen P. Heymann and Donald L. Cabell. “The government has been given no prior notice of either of these assertions, the defendant’s intended reliance on expert testimony to support them or that the defendant was undergoing a psychological forensic examination.”

A federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.

Unlike earlier retail data breach lawsuits—typically with consumers or banks as plaintiffs—this was a shareholder action and merely needed to prove that Heartland execs mislead the public about their security status. U.S. District Court Judge Anne E. Thompson, sitting in New Jersey, concluded Heartland execs had not. She listened to recordings of an analyst call to conclude that, in full context, the processor’s security claims were technically true.

Albert Gonzalez—who has already pleaded guilty to masterminding a cyberthief ring that stole data from TJX, BJ’s Wholesale Club, Boston Market and Sports Authority, among other major chains—signed papers this month agreeing to plead guilty to the remaining federal charges against him. But one of the retail chain victims, which federal officials have yet to officially identify, asked the court to protect its “dignity” by preventing the government from releasing the chain’s name.

Gonzalez agreed to plead guilty to his role in attacks on Heartland, Hannaford and 7-Eleven in a document signed at 10:14 AM New York time on Dec. 2.

Basking in the instant efficiency of E-mail and other forms of digital communication, we tech-savvy types often look down our noses at “snailmail.” But E-mail can’t deliver a pair of shoes. And, as an ongoing mail strike in the U.K. is reminding us, even the most Web-proficient retailers stand to suffer when wrenches are thrown into the easily-taken-for-granted cogs of the good old postal services. The strike by the Royal Mail union, whose members deliver letters and packages throughout the U.K., began October 22 and it has E-Commerce operators wringing their hands as the holiday shipping frenzy is about to begin.

The nail biting began even before the strike began. A survey by Interactive Retail in Media Group reportedly found that 85 percent of E-tailers believed even the threat of a postal strike would discourage their customers from placing holiday orders. At least one retailer, TJX, decided to be proactive. On its U.K.-only E-Commerce site, TKMaxx.com, the $19 billion seller of off-price clothes had this to say: “Postal strike? Phah! For the same price as our Royal Mail standard delivery, TK Maxx is upgrading this service to our DHL courier partner for the duration of the postal dispute.”

Back in June 2005, right around the time that several major retailers (including TJX, BJ’s Wholesale Club, Boston Market and DSW) were being attacked by Albert Gonzalez’s cyber thief gang, Wal-Mart was quietly experiencing its own data breach. In Wal-Mart’s case, though, the breach began in June 2005 and wasn’t discovered by the chain until some 17 months later.

These new details of Wal-Mart’s data breach—which saw POS source code grabbed and zapped to parties unknown in Eastern Europe—are shedding more light on the early days of such retail assaults and how various chains learned of and then dealt with them. But here’s the rub: Wal-Mart maintains that no customer or employee data was taken. Does it truly stand to reason that those thieves would have had secret access to the systems from the world’s largest retailer for 17 months and not taken any names or card data? Oddly enough, it seems likely that they, in fact, didn’t. And therein lies the potentially most intriguing part of the story.

The payment strategy struggles for Mobile-Commerce continue, with retail IT execs seeing the phone as a future “Get Out Of Interchange Jail Free” card in an elaborate game of Card Brand Payment Monopoly. Some see future secure chip-integrated phones as the answer, a way that moves payments away from Visa and MasterCard and permits a secure way to tap directly into a consumer’s bank account.

But retailers pursuing such a strategy might quickly discover that, with payment, when one door closes another opens—and it’s likely a trapdoor beneath your feet. For example, a secure route to bank accounts may indeed sidestep most—if not all—card fees for those mobile transactions. But it would also remove the liability shield that the brands’ zero-liability programs offer.

There’s a very old joke that when swimmers are about to go into shark-invested waters, they should always swim with a buddy. If a shark attacks, feed him your buddy. Retailers today, swimming in cyberthief-invested wireless zones, are discovering a similar guideline plays out when there is an attack against a large number of retailers, such as what happened with TJX, Hannaford, 7-Eleven and others in the Gonzalez cases.

Despite those heavy-weight retail brands, only a couple have borne the vast majority of the costs and headaches associated with a breach. Why? Because the first one or two chains have to go through the expense of identifying the breached numbers and having them shut down and reissued. That task’s completion makes life so much easier on the others. It’s also better for investigative costs, brand reputation and several other factors. Is this fair? Can and should something be done to make it more equitable?

When Albert Gonzalez officially pleaded guilty to many of the federal cyberthief charges against him on Friday (Sept. 11), the government shed a little more light on the case, such as that it was BJ’s Wholesale Club that was first attacked and that the Secret Service has collected “more than forty million distinct credit and debit card numbers from two computer servers” controlled by Gonzalez and his associates and has counted the consumer, retail and bank victims as “an enormous number of people, certainly millions upon millions, perhaps tens of millions.”

In Friday’s hearing, the government for the first time put a number next to the DSW breach, saying that the $1.5 billion apparel chain operating 300 stores in 37 states (in addition to supplying footwear to 367 leased locations) lost more than one million card numbers in the breach. The government also said that OfficeMax—the $8.3 billion office supplies chain with 939 stores in the United States and 83 in Mexico—played a crucial role, with Assistant Boston U.S. Attorney Stephen Heymann saying that OfficeMax’s “then vulnerable encryption of PINs enabled Gonzalez (and a colleague) to sell the conspirators’ bounty for particularly large profits.” The only new data morsel about TJX to emerge was a Heymann estimate that TJX alone “suffered close to $200 million in losses and associated expenses.”

Not that it was needed, but more proof materialized this month that substantial security investments are really hard to justify. TJX announced Sept. 2 what will likely be the last of the settlements of class action lawsuits against it from the data breach of its systems that began in 2005 and which impacted more than 100 million payment cards.

Last Wednesday (Sept. 2), TJX struck quite a bargain and settled with the handful of remaining banks. In settling all charges with four different financial institutions—AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank—TJX agreed to pay $525,000 to be split between the four businesses. Was that punitive or was that something closer to a nuisance payment for the $19 billion retail chain? Punitive would generally mean covering all legal costs plus reimbursing the banks for all out-of-pocket costs and then paying them something to compensate them for the pain of the litigation. The payment specifically excluded legal fees. According to the statement TJX issued, the settlement didn’t even cover all of the banks’ out-of-pocket expenses let alone offer anything for their efforts. Oh and it also allowed TJX to say that it “has denied all wrongdoing.” The amount enough that it was already covered in a reserve that TJX took back in the second fiscal quarter of 2007.

Albert Gonzalez, who the federal government has accused of breaking into the payment card databases of TJX, Hannaford, 7-Eleven, Target, J.C. Penney and a laundry list of other major retailers, has agreed to plead guilty to all of the charges against him from Boston and one count from New York, as StorefrontBacktalk reported on Thursday (Aug. 27). The plea agreement was filed on Friday (Aug. 28). His plea deal does not–at this time–include the New Jersey charges. The plea agreement was filed on Friday (Aug. 28).

In the Gonzalez plea bargain, the agreed-to sentencing recommendation—which calls for at least 15 years in prison and “no more than 25 years” in prison—does not seem much more lenient than he would have faced at trial. Even with as extensive a cyber attack as these, most U.S. courts wouldn’t go anywhere near “more than 25 years” in cases where no one was physically hurt and the defendant wasn’t accused of real violence or threatening violence. But a jury is a tricky animal and, technically, the counts he is pleading guilty to have a cumulative maximum sentence of 193 years in prison.

Albert Gonzalez, who has been accused of managing the data breaches at TJX, Hannaford, 7-Eleven and Heartland (among many others), has once again agreed to plead guilty to parts of two of the three federal cases against him, his attorney, Rene Palomino, said Thursday (Aug. 27). Two other major retail names have also been added to the list of retail victims: J.C. Penney and Target, as the list of unidentified retailers shrinks.

Look for Gonzalez to officially plead guilty to the federal charges from Boston, primarily involving TJX, BJ’s Wholesale Club, Boston Market and Sports Authority and New York, primarily involving Dave & Buster’s, on Sept. 11.

As details trickle out about how the feds supposedly broke the Gonzalez attacks against TJX, Hannaford, Heartland, 7-Eleven and tons of others, much of it focuses on a global effort to access servers and laptops overseas and doing so in countries where U.S. law enforcement cooperation is perhaps not what it should be.

Wired did a wonderful piece, summarizing federal filings in the New York part of the Gonzalez accusations (this is the Dave & Buster’s case). The story details the chase for a laptop in Turkey and the legal and police bumps along the way. Nothing new revealed for retailers trying to protect their networks, but it’s interesting background nonetheless.

Since the earliest days of law enforcement, police have wrestled with the appropriate way to deal with criminal gangs. At its simplest, what should be done with two burglars who break into a house? Who is the primary lawbreaker and who is merely the assistant? Legislatures and courts have often tried to sidestep the question, declaring that a murder charge, for example, will be applied to all participants of a home break-in if anyone gets killed. As a tactical practical matter, police (and that includes FBI, Secret Service, assistant district attorneys, deputy attorneys general and anyone who else charged with apprehending and punishing wrongdoers) often uses that ambiguity as a tool to pressure confessions. In short, the one who talks first gets to point the finger at the others and cut himself/herself the sweeter cooperating witness deal, while the suspect who hesitated gets left being charged as the scheme’s mastermind.

Such a drama is now unfolding with the Albert Gonzalez case, the Miami man accused of breaking into TJX, Hannaford, Heartland, Barnes & Noble, Sports Authority and a laundry list of others. Is Gonzalez the masterhead of a cyber thief ring? Was he coordinating different teams in the U.S., each group assigned to attack different retail chains? Or was he merely the pawn of an Eastern European data theft syndicate? In Dickensian terms, was he more Fagin, the Artful Dodger or even Oliver Twist?

Albert Gonzalez, the Miami resident who was indicted last summer with stealing credit card data from TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW can now add Heartland, Hannaford and 7-Eleven to the lengthy list of retailers that the federal government says he penetrated. In case you feel left out, there are two to three additional major retail chains that the feds have accused him of attacking, although those chains have yet to disclose that they were breached.

But the indictment revealed several key contradictions with 7-Eleven and Heartland and one major retailer’s security executive found the government’s specifics to be a convincing indictment against PCI.

An E-Commerce software company that, as part of its service for small retailers accepted payment card data and then sent it to various processors, has found itself on the wrong end of a breached company news release, confirming that payment data from some 574,000 customers—processed through 4,343 of its small retail clients—had been accessed. The stolen data included transaction specifics, card account numbers, names and consumer addresses. The vendor—Network Solutions—had been certified PCI compliant (you just knew that was coming, no?)

The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.

The chairman of the powerful U.S. Senate Judiciary Committee, Sen. Patrick Leahy, is trying—after two failed attempts—to get his data breach bill made into law. But even though his bill would answer the pleas of many retailers by creating one single national standard for handling major retail data breaches, the bill’s details don’t deliver the comprehensive relief promised. In short, the bill is trying to make it more difficult for major retail chains to hide large data breaches when, in fact, the wording will make it easier for them to hide such breaches.

The core of the bill is where things get a bit dicey. It requires retailers to notify consumers impacted by a breach “without unreasonable delay” but it doesn’t say how much time retailers can take. Without that specific, it would seem difficult to enforce the law. Even worse, the exemptions for notification are so broad as to make it unlikely that any retailer would actually be impacted. For example, the bill provides a blanket exemption as long as a chain “provides a written certification to the U.S. Secret Service that providing such notice would impede a criminal investigation or damage national security.” The Secret Service then has to perform a review to determine if it’s a warranted claim. The problem is that the claim that something might impede a criminal investigation is so broad as to be meaningless.

The new PCI wireless guidelines are helpful, but it could have—should have—gone a few steps farther, opines PCI Columnist David Taylor. For example, one of the technical controls that was introduced with PCI DSS 1.2 is the wireless IDS/IPS. It’s listed as an option, with the other option being to manually carry a laptop around corporate and stores running wireless networks on a quarterly (or more frequent) basis and see whether any networks appear that the security person (if any) does not recognize.

Although it’s certainly understandable that, for SMEs, the cost of a wireless IDS/IPS can be prohibitive, this is the sort of technology that should be mandatory for larger (i.e., Level 1 and 2) companies. That is not only because of the time and effort that it saves, but also because it can be extremely difficult to spot “rogue” or malicious networks in dense urban areas, shopping malls and large multi-company facilities.

Nevada is making PCI the law and a group of state attorneys general plagiarized it liberally while trying to figure out what to force TJX to do. Like it or hate it, PCI Columnist David Taylor argues, the PCI DSS is the only set of data security standards out there that actually comes with an effective, ongoing validation and enforcement process.

That is not true of HIPAA or the vast majority of state or national data privacy or breach disclosure laws. Enacting PCI into law may help, but actually allocating government funds to review compliance on a regular basis does not seem likely, so these laws (like the breach disclosure laws) will be ignored by all except compliance officers, vendors, consultants and security geeks.

When it comes to regulating retailers, what could be worse than an over-zealous Washington? How about fifty over-zealous “Washingtons”? Discussions about “Big Brother” and onerous regulation of business usually center around the federal government. Not that Uncle Sam isn’t evil at times, but these days it’s the states that are causing the big headaches for retailers, especially those that operate on a multi-state or national level.

Every couple of weeks, it seems, another state makes news for attempting to regulate, tax or otherwise control retailers and retail technology. The toughest part, for merchants, is that states usually tackle the issues with little regard to being aligned with the efforts of their colleagues in other states or for the hardships their one-of-a-kind provisions impose on retailers. The laws just keep on coming. Nevada, for example, passed a data protection law last month that goes into effect Jan. 1, 2010. In addition to forcing businesses to use encryption when data storage devices containing personal information are moved outside the company’s physical or logical control, the new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.

When a group of 41 U.S. states announced a settlement with TJX this week—a supposed punishment for the retail chain, in the words of one state attorney general, for treating sensitive payment card information “like trash”—it was billed in some circles as a painful lesson for retailers who treat security laxly. The truth is, the lesson was just the opposite.

The deal (see our full coverage of the terms of the settlement) consisted of three elements: Payment; new security rules; the need to report back to the states. How painful were any of those elements for the $19 billion owner of Marshalls, T.J. Maxx, HomeGoods, A.J. Wright, HomeSense and Winners? Let’s take a look at each.

After a probe and negotiations lasting 2-and-a-half years, the TJX chain agreed on Monday (June 22) to pay a group of 41 U.S. states $9.75 million for what appears to be the credit card industry’s worst data breach, a crime that touched more than 100 million payment cards and was revealed in January 2007.

But the dollars behind the settlement are relatively trivial for the $19 billion owner of Marshalls, T.J. Maxx, HomeGoods, A.J. Wright, HomeSense and Winners. The biggest impact will likely come from a wide range of security concessions, although many of the rules had already been directly or indirectly required by existing PCI guidelines.

U.S. District Court Judge D. Brock Hornby on Tuesday (May 12) became the latest jurist to rule in favor of data-breached retailers, telling Hannaford consumers that because they were compensated by their banks, they have no basis to sue civilly here. “There is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent. Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence.”

Similar to rulings from cases fellow data-breach retail victim TJX, Hornby said he couldn’t allow almost any of the defendants to continue with the case because the consumers hadn’t suffered out-of-pocket financial losses. In an ironic sense, this all stems from the card brands’ zero liability programs. Those programs guarantee that consumers will have all fraud losses wiped clean. (The one defendant who can continue is a consumer whose fraud loss costs—for reasons unknown—were not covered by her bank.) It’s ironic because the programs to created to make consumers feel safer about their payment security. Today, that program is preventing consumers from successfully suing retailers that mishandle their data, which in turn makes it more difficult for retailers to justify spending more than the minimum on data security.

Retailers need to carefully examine any new “beyond PCI” technical approaches being offered by their processors, as well as other service providers. They need to think about what will be required of them to take advantage of such “end-to-end” security and whether the investment in technology and labor will be transferrable, should they decide to switch to a competitor.

Beyond focusing on avoiding “Beyond PCI Lock-in,” pens GuestView PCI Columnist David Taylor, retailers also need to focus on ensuring that these new security efforts don’t break their existing applications. Some of the tokenization and end-to-end encryption approaches currently (or soon to be) on the market don’t always play nice with existing ERP, CRM and other enterprise applications.

The POS system is the Rodney Dangerfield of the retail IT world: It gets no respect. (Could have gone back yet further and said it was the Red Buttons of the retail IT world because it never gets a dinner, but that’s an even more obscure pop culture reference.)

Chains are just starting to see the business ROI potential of POS—especially when working with CRM—to fuel upsells and to legitimately increase loyalty. But few look at POS as a potential protector and a protector against some potentially very large expenses. Consider four items from the last few days.

A federal judge in Maine is promising to issue a decision imminently about whether a databreach class action lawsuit against Hannaford will be allowed to proceed. The arguments before U.S. District Court Judge D. Brock Hornby in the Hannaford case are almost identical to those put in front of another federal judge in late 2007 overseeing the TJX databreach. Although the first federal judge ruled in favor of TJX, a different federal judge could very easily go in a very different direction.

In both cases, the judge was overseeing the case of a major retailer and a very large databreach, presumably facilitated to varying degrees by IT errors or oversights by the retailer. The arguments boil down to this. The attorneys representing consumers suing Hannaford are arguing that Hannaford knew—or should have known—that its payment security procedures were inadequate and yet it still allowed consumers to use their cards at the chain’s stores.

When a federal appellate ruled on Monday (March 30) that it was sending a small part of one of the civil lawsuits involving TJX’s death breach back to the district court, it was a very narrow decision. But the act of sending it back and allowing for discovery to start again is likely to force TJX to spend millions more, according to attorneys watching the case. Perhaps even more importantly, the ruling is likely to slightly alter the risk-cost balance of retail security, putting just a little more pressure on chains to invest in their security operations.

It is true that discovery can be frightening for typical companies involved in class-action civil lawsuits, but for TJX, it can be positively terrifying. Throughout two trials, TJX showed itself to be far more worried about revealing thus-far-unreleased security details than monetary payments or almost anything else.

Although $19 billion retail chain TJX is suffering from the economy like all other chains, it recently got a $30.5 million financial windfall. How? By having underestimated how well it would do in court against various lawsuits and probes from the credit card industry’s worst-ever data breach. It impacted more than 100 million consumer cards, and some of the data grabbed came from as early as 2003.

According to TJX’s earnings statement issued Wednesday (Feb. 25), the chain had set aside significantly more money than it ended up needing to deal with the 2006 breach, thereby allowing the company to reallocate cash for other purposes and add about $18 million to the year’s net income.

Facebook officials learned a hard lesson this month when the social networking site snuck in a privacy policy change that could have allowed it to access users’ content—and use it forever for pretty much anything Facebook could think of—even after users had deleted it from their accounts. After public backlash, the policy was reversed—for now. But I’ll bet serious money that these execs learned the wrong lesson.

To interpret motivation and real intent, sometimes a look at history can be useful. Do you remember another Facebook privacy incident back in December 2007? In that case, Facebook tried sharing—without permission—customers’ purchases with people on their friends list. Is this a pattern? Is Facebook trying things, and if it’s caught and there’s a loud enough protest, the site pulls back? In short, is Facebook trying the permission versus forgiveness approach? Indeed, it seems to have tried both options. For a company that is trying to solidify a brand and build as much trust as possible, these tactical approaches seem odd.

Some four months after Best Buy dropped $121 million in mid-September 2008 to take over downloadable music pioneer Napster, both companies quietly said that Napster’s privacy policy was changing to let Best Buy do a wide range of unannounced things with the newly obtained data riches. Napster’s CEO, Chris Gorog, went so far as to write a blog that spoke of “personalized music pre-loaded on new MP3 players or mobile phones because of our collaboration.”

Regardless of what Best Buy ends up doing, in today’s rock-bottom economy, with its mergers and bankruptcies, the retail concept of data ownership is getting quite a workout. For example, CompUSA closed its doors but has now reemerged in a very different form in Florida. And there’s no telling where the petabytes (exabytes?) of customer information now controlled by Circuit City will wind up. From a privacy perspective, there are even scarier possibilities than someone’s music or computer purchases falling into the wrong hands.

All PCI QSAs worthy of their certifications will tell you that their assessment is a “point-in-time” audit. After all, with 200+ controls to review, how could it be anything else?

But, GuestView PCI Columnist David Taylor argues, how long is a “point in time”? And is there any way to make that point in time last longer, so that a “state of compliance” can persist for months–or at least until the next “point-in-time” review?

The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said. Payment security experts pretty much agreed that hiding files in unallocated disk space is a fairly well-known tactic. But it requires such a high level of access—as well as the skill to manipulate the operating system—that is also indicates a very sophisticated attack. One of those security experts—who works for a very large U.S. retail chain and asked to have her name withheld—speculated that the complex nature of the hiding place, coupled with the relatively careless leaving of temp files, could suggest a less-skilled cyberthief who simply obtained some very powerful tools.

When the Heartland breach was announced Tuesday (Jan. 20), it started to raise questions about whether major payment processors are really any more secure than their retail counterparts. GuestView Columnist David Taylor doubts they are, but he has advice for finding out.

Malware has two countervailing trends, both likely to continue. The first is that there is a rapidly growing market for highly automated malware that uses basic building blocks and can be easily adapted to identify and exploit new vulnerabilities. This malware exploits unpatched servers, poorly defined firewall rules, the OWASP top 10, etc. It is really aimed at the mass market–SMEs and consumers. Then there is the high-end malware that employs the “personal touch”–customized to specific companies and often combined with social engineering to ensure it’s installed in the right systems. This type of malware got TJX, Hannaford and now Heartland.

Are data thieves now bypassing retailers and hitting payment processors directly? That may be the case if the initial details about the new Heartland Payment Systems breach—where the data from some 100 million cardholders is handled—hold true. (That said, has anyone ever seen the initial information about a major data breach hold true for more than a week?)

Early on Tuesday (Jan. 20), Heartland issued a statement saying that it had been “the victim of a security breach within its processing system in 2008.” But it didn’t take long for some of those initial details to fall apart.

A key suspect in the TJX data breach case has been sentenced to 30 years in prison, but it has nothing whatsoever to do with the TJX case.

Maksym Yastremskiy was charged in Turkey with breaking into Turkish bank accounts electronically. During the hearing where he was sentenced to 30 years, he said that a laptop computer found in his hotel room containing bank information belonged to a friend. “I am innocent. I didn’t do anything to break bank accounts. Somebody else did it, not me. I want to be released from the jail,” he told the judge, according to The Boston Globe.

Despite industry estimates that retail data breaches typically cost about $200-$300/per compromised card, a Maine government report found the cost to have been $7.49 for TJX and $6.77 for Hannaford. That’s about 40-50 times less.

Security vendors are always fond of releasing the most extreme estimates of data breach costs, to justify an ROI argument for retailers paying them a lot of money. But retailers can contact consumers in very cost-effective ways and can often get communication help from others involved, such as the card brands and the processing bank.

Sears and OfficeMax have agreed to settle a lawsuit against them—and several other major retailers, including Walgreens, Barnes & Noble and Aeropostale—as the chains find themselves losing legal challenges to a company with a gift card validation process patent. That vendor argues that almost every retailer today is in violation of its patent if they accept gift cards at their physical stores.

Sears and OfficeMax join TJX and McDonald’s as having settled—or agreed to settle—their roles by agreeing to license the technology from Card Activation Technologies.

The Web is overflowing with analysis of the TJX data breach disaster, but this posting from Plausible Deniability does a better job than most. What’s intriguing is the possibility that some of the indicted suspects may have worked as code writers in the light of day for some major companies, including Morgan Stanley.

With so much security outsourcing today, it raises some uncomfortable questions about how much you really know about the security specialists you now have working in your computer room.

Federal prosecutors have apparently accused a New York man of providing a sniffer program to help the TJX cyberthieves steal payment data. The fact that 25-year-old Stephen Watt has been charged with unlawful access to computers, wire fraud, aggravated identity theft and money laundering is not in dispute, nor is the fact that he has been accused of delivering a sniffer program to accused TJX mastermind Albert Gonzalez.

But the feds have been vague about whether Watt was involved in the TJX data heist, even though the timing of the accusations would seem to place him in the middle of the largest payment card data breach ever, according to this Computerworld story. Watt allegedly provided a sniffer program that allowed Gonzalez and other gang members to identify and capture credit and debit card data traveling over the networks they had broken into. In January, Watt edited and modified a sniffer program dubbed “blabla” that was used by the gang and stored in a server with a Latvian IP address, according to the story.

New information released by Forever 21 confirms that the almost 100,000 credit and debit cards accessed from the chain in a breach included transactions from 2003 through 2005, which were stored on a corporate data center, apparently in violation of PCI rules.

Unlike some of Forever 21’s fellow retail chain victims in the so-called TJX Breach case—including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority and DSW—Forever 21 now says that wardriving was not involved in its breach and that the data was accessed directly from the corporate data center.

A second defendant in the so-called TJX Breach case—which also had at least seven other major retail chains as fellow victims—pleaded guilty Monday (Sept. 22), this time to charges of conspiracy, unauthorized access to computer systems, access device fraud and identity theft.

The accused, Christopher Scott, a 25-year-old Miami resident, pleaded guilty after prosecutors said they could prove that he was paid $400,000 for assisting a retail wardriving scheme. Scott’s plea follows the Sept. 11 guilty plea of fellow Miami resident Damon Patrick Toey.

Two major retailers—Forever 21 and DSW—have for the first time released small details about their roles in what has become known as the TJX Breach, the worst ever recorded in credit card history.

On Friday (Sept. 12), Forever 21 issued a statement saying that the chain had been wirelessly breached repeatedly between Mar. 25, 2004, and Aug. 14, 2007, and that thieves “accessed older credit and debit card transaction data for approximately 98,930 credit and debit card numbers,” including about 20,500 card numbers taken from one particular store in Fresno, Calif.

As one of the 11 defendants in the federal data breach charges involving TJX and others pleaded guilty Thursday (Sept. 11), federal officials confirmed that there are quite a few other victims of the breach that have yet to be publicly identified.

In a filing on Thursday, U.S. Attorney Michael Sullivan told U.S. District Court Judge William G. Young that “There is forensic and/or testimonial evidence that the defendant and his co-conspirators hacked into numerous other businesses, which have not yet been publicly identified.”

A TJX senior executive is apparently trying to push chip-and-PIN, arguing that cyberthieves are focused on the United States partly because we haven’t adopted it. “Criminals, I believe, are focusing on the countries that haven’t added that higher level of security,” TJX Vice Chairman Donald G. Campbell said.

Campbell also backed encrypting data as it is sent to banks, even over private networks. There’s little question that both moves would improve security, but the cost and change required will also make them almost impossible to deploy. As TJX execs know better than anyone, market forces to push such change are essentially non-existent.

Almost a year after TJX settled with banks and bank associations impacted by the worst data breach in credit card history, another bank has come forward with its own lawsuit against the retailer, claiming the incident compromised some 4,000 of its customer accounts.

TrustCo, which operates more than 100 banks nationwide, filed the lawsuit in the New York Supreme Court against TJX in July, saying that it had never been invited to participate in the initial group of banks suing TJX. This bank’s accusations mirror the other banks’ charges, namely that TJX “breached its duties” by allowing the intrusion. TJX replied that it was the bank’s own fault.

A gang of data thieves in Ireland has well learned the lesson that the best place to hide is in plain sight. The group hit a large number of retailers throughout Ireland and grabbed more than 20,000 payment cards by placing skimmers on card-swipes by wearing what appeared to be maintenance uniforms and saying that they were performing bank repairs.

“The criminals have been going into shops claiming to be engineers working on the terminals,” said Una Dillon, head of card services at the Irish Payment Services Organization Staff. “Staff are used to their bank officials coming to update terminals so unfortunately they have been able to do that.”

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.At this week’s National Retail Federation CIO conclave, NRFtech, the CIO of J.C. Penney presented the keynote, which focused on the top five priorities for the business and the technical implications of these priorities. PCI compliance, perhaps not surprisingly, was one of these top five priorities. During the discussion, the CIO, Thomas Nealon, commented that one of the biggest challenges when it comes to PCI is explaining to businesspeople why it’s a priority. This is a common refrain among merchants of all types and sizes. Because there are a lot of examples of this in the Knowledge Base, I thought we could discuss some of them, so that others may be able to use them in their own companies.

Some 3 hours and 19 minutes before the U.S. Justice Department announced to the world that it was charging 11 men with having stolen 41 million payment card numbers from TJX and several other national retailers, a group of Secret Service agents started making phone calls.

One of those retailers—Barnes & Noble—issued a vague statement suggesting that the chain might not have been aware of the incident before the Secret Service team started making those 11:30 AM calls.

When federal officials unveiled on Tuesday (Aug. 5) indictments against 11 global cyber thieves accused of data raids against TJX and several other major retail chains, the retail chain that was potentially the most pivotal in ending the multi-national bits-and-bytes bonanza was kept out of the filings.