Two months ago, retailer TJX, owner and operator of 2,500 stores in the United States, revealed that hackers who accessed the company’s customer information stole data from at least 45.7 million credit and debit cards. According to the Associated Press, at the time, the company said that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been hidden — stored as asterisks rather than numbers.

However, TJX says that it still knows little about the full scope of the breach. The hacker or hackers accessed TJX’s encryption software and may have been able to unscramble the information. “There is a lot of information we don’t know, and may never be able to know, which is why this investigation has been so laborious,” TJX spokeswoman Sherry Lang says.

Here is a recap of the investigation to date:
• The company’s computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003. TJX was unaware of the breach until about three months ago.
• Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year. The company did not provide estimates of the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003 to June 28, 2004.
• The intruder may have had access to the decryption tool for the encryption software utilized by TJX.
• Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.
The filing gives the first detailed account of the breach initially disclosed TJX, the owner of T.J. Maxx, Marshall’s and other stores in North America and the United Kingdom.

California Secretary of State Debra Bowen recently announced several new security measures that will protect the privacy and identities of Californians. The Secretary of State is the central filing office for financing statements and lien documents as required under the Uniform Commercial Code (UCC). Many of these documents are public records, meaning they’re available to anyone who requests and purchases a copy of them. Bowen recently shut off web-based access to the UCC filings after learning that many of the documents contain people’s Social Security numbers, therefore increasing their risk of identity theft.

“This is yet another place where our laws haven’t kept pace with advances in technology,” said Bowen. “By law, UCC filings are public records, the statutory UCC filing form that people must use has a space available for a Social Security number, and the Secretary of State is required to accept that form. To make the agency more business-friendly, previous Secretaries of State have made these records available on the Internet. However, until we find a way to remove all but the last four digits of people’s Social Security numbers from the records in the electronic database, I’ve decided to pull the plug on the system that, until Tuesday, gave people web-based access to these documents.”

Bowen has shut down the portions of the Secretary of State’s “UCC Connect” Web site that allowed anyone to search, view and order UCC documents online. In addition, she has taken additional steps to prevent identity theft, including:
• Frozen bulk electronic sales of the UCC image database until all but the last four digits of Social Security numbers can be removed from all existing UCC records.
• Warned UCC filers to prevent identity theft by not including Social Security numbers on any UCC forms.
• Removed all but the last four digits of social security numbers from all copies and images of incoming UCC documents before they are made available to the public.
• Announced her support for legislation, including AB 1168 (Jones), to require no more than four digits of Social Security numbers to appear on public records at the state and local level, to change the statutory UCC filing form, and to give the Secretary of State the authority to reject UCC filings that contain social security numbers.

The Federal Trade Commission testified at the Senate Judiciary Committee Subcommittee on Terrorism, Technology, and Homeland Security, saying that “the government and the private sector must continue to work together to reduce the opportunities for thieves to obtain consumers’ personal information and make it more difficult for thieves to misuse that information if they obtain it.”

Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection, said government and the business community should work together to collect, maintain and protect consumer data, and find better ways to authenticate customers to keep identity thieves from using the information they steal.

According to the FTC: “A recent Wall Street Journal/Harris Interactive survey, for example, found that, as a result of fears about protecting their identities, 30 percent of consumers polled were limiting their online purchases, and 24 percent were cutting back on their online banking.”

The testimony notes that misuse of consumers’ social security numbers plays a major role in identity theft. The FTC recommends that SSNs be used less and kept out of the hands of identity thieves, while giving businesses and government sufficient means to correctly identify people.

Do you believe that identity thieves could steal and erase your computer files, trace every keystroke you make, and take a snapshot of your computer screen while you browse the Web, completely unaware? In a recent article, Diana Ransom, a Wall Street Journal reporter, tells the story of Andrew Whitaker, a licensed information-network security professional who claims he can “watch everything you’re doing online”. If Whitaker can do it, says Ransom, so can identity thieves.

Identity theft has been at the top of the list of consumer complaints to the Federal Trade Commission for seven years in a row. And young adults are the age group most frequently victimized, according to Javelin Strategy & Research. The research firm believes that young people are easier targets because they are less likely to take precautions such as shredding paper documents and using antivirus software and firewalls on their computers. They are also more likely to connect to unprotected wireless access points at hot spots in cafes.

Ransom reports that computer users of all ages can take a few steps to protect their home networks:
1. Pick a better password.
2. Disable “remote management.”
3. Turn off the Service Set Identifier.
4. Enable “Media Access Control Address Filtering.”
5. Turn on encryption.

The latest Gartner survey on identity theft shows a 50 percent increase in total identity crimes. According to Colin Beasty of DestinationCRM.com, this highlights the importance that companies take preventive measures to ensure customer satisfaction.

Approximately 15 million Americans were victims of identity theft-related fraud in the 12 months ending in July 2006, according to Gartner. These statistics represent a more than 50 percent increase since 2003, when the Federal Trade Commission (FTC) reported 9.9 million American adult identity theft victims.

Gartner surveyed 5,000 online Americans in August 2006, reporting that the average loss was $3,257 in 2006, up from $1,408 in 2005. The percentage of funds consumers managed to recover dropped from 87 percent in 2005 to 61 percent in 2006. “Hackers are exploiting Internet auctions, nonregulated money transmittal systems, the ability to impersonate lottery and sweepstakes contests, and other types of imaginative scams,” says Avivah Litan, vice president and distinguished analyst at Gartner. “The thieves have also discovered the weakest links in U.S. payments systems. Typically, the weak links are found among the five or more million businesses that accept electronic payments from consumers, and the consumers themselves.”

The Gartner findings included the following:
• Electronic theft of sensitive information is a leading cause of certain types of fraud, including credit card, debit/ATM card, and bank account transfer fraud. This is not the case with check forgery and new account fraud, where in-person data theft is the leading cause.
• The average loss on new account fraud more than doubled from $2,678 in 2005 to $5,962 in 2006. Unauthorized charges to credit cards rose nearly fourfold from an average of $734 in 2005 to $2,550 in 2006.