Heads at the very top should roll. This is abominable.
If this company is this stupid can any others be considered any better? Our data is just blowing in the wind and those private networks that lap it up know more about us than we are willing to admit to.

AT TV station here did a show on this recently.

http://www.cbc.ca/marketplace/2007/03/net_security.html

Another abominable procedure is the one used by Office Depot, where they key in the CVV2 code of your credit card, even if it's being swiped in front of them. I doubt their security is good enough to warrant that intrusion.

Pretty much anytime you whip out credit card, debit card or check, you're taking a real risk. I'm just glad the banks can hit the merchants up to recoup the costs. TJX should definitely have to cough-up for their negligence. I'm just glad I've never shopped there. I'm just waiting for Wal-Mart to get hit. I read that restaurant chains have the highest rate of ID theft. I'm starting to think I may have to log in to each of my accounts and check them DAILY.

If an engineer builds a building, then it collapses and kills people, he or she is possibly facing criminal charges beyond the civil liabilities.

If you mishandle a gun, then it goes off and kills someone, you're probably going to jail for negligent homicide or manslaughter.

If you hit someone with your car due to carelessness, you're looking at possible vehicular assault or homicide charges.

Why not hold firms and their employees, including technicians, CIOs and CEOs, who fail to secure data under criminal law for negligently losing personal data?

Not new but an unbroken security failure from most businesses. When 50% to 60% of all Americans have had ID theft and are forced to pay higher interest rates or be denied credit then these businesses will turn it around on the consumer and charge the public a fee for security steps to make us safe. We all lose again and the failed business model continues with the circle still unbroken.

Computers are wonderful tools, but if you're stupid enough not to secure your customer data, then you need to go back to filing cabinets.

In most cases employees tell their employers about potential problems. Unfortunately, in many businesses you can have top-level people who are any combination of the following:

a)Computer illiterate to the point where they can barely turn it on.

b)Greedy. They are worried about the bottom line. The reality is that a few thousand dollars in hardware and software today can save them hundreds of thousands tomorrow.

c)Are so self-important that, while they can barely turn a computer on, they are somehow more qualified than their tech staff to make tech security decisions.

Of course when something goes wrong, they will blame their employees. That is why, I suggest that all tech. employees tape all conversations about security or any other serious concern.

The comic strip Dilbert with the incompetent manager was not complete fiction. That is sometimes how it is.

To add to Joe Dokes comment - if you take or cause to be taken money from a persons account without their permission or their knowledge would this not constitute a form of loss or at the least earn them the enveous title of con artists

Carlo, you say you are glad the banks can hit the merchants up to recoup the costs. I hope you mean the merchants who leaked the data. Because I am a small merchant who has had several fraudulent charges hit me and it is devastating. I sold in good faith, my credit card processor approved the sale but then I have to return the money when the card proves fradulent weeks later. How is that fair to me? I'm out both the money and the merchandise. This is the part of fraud that no one talks about. Remember, it isn't the credit card companies or banks paying the bill - it's the merchants who lose coming and going. And you can be darn sure I've never compromised any of my customers data!

My account was hacked, after ONE transaction at ONE TJ Max store in Kingsort Tennssee. My mother's account was compromised as well. We received letters notifiying us. What legal recourse do we have, if any, to take against the retailer?

Restaurants have the highest percentage of ID theft because you usually let the server take the card to the register; someone can use a cell phone to take a picture of the card. It's best to walk the card to the register yourself, and not take your eyes off it.

The truth of the matter is, American corporations desire to hire low-quality people offering low wages allow vulnerabilities like this to happen. Many of these corporations believe they can simply issue an "corporate lawyer edited" apology if their customers are affected by their lack of concern for security.

Quite frankly, I seriously doubt TJMaxx is even serious about hiring the best qualified people to protect their customer credit card and 9/10..it's some good ol boy who looks forward to fishing trips and golf on the weekend..

Looks like cash isn't such a bad idea, anymore. How many of you folks out there want ours to be a "cashless" society, as has been touted for so long by so many of these same credit card companies, banks, and even our glorious government?
Keep on using that plastic, folks. I'm sure that there are hundreds of hackers who just LOVE you!

As an IT person, I can guarantee that what Mr. Ponemon says is absolutely correct. When it comes to making a choice between generating revenue or enhancing data security, management types will pick revenue. There is nothing sexy or alluring about data security to them. I firmly believe that it is time to take the blinders off these folks, and do it be setting a few examples. Some serious jail time is not of the question here. Maybe prosecution under the category of reckless endangerment? Failing to heed warnings from all levels, from the government to private citizens? These people judge everything by dollar signs, and only be removing one or two of the significant digits on their paychecks will they pay any attention to this problem. Their attention to the financial safety and well-being of their customers ends when the credit card goes back into the wallet.
Prison time and fines are the only methods that will make them change.

Cash is King! go to the bank and get the green! Plus its also good for budgeting! Very scary times now! I work in the industry its about time this has gotten the exposure it deserves!

I pay with cash.

I am seriously considering using my debit card only at ATMs and going back to writing checks for purchases. Sure it's inconvenient, but it's a lot less aggravating than fraud.

I think the comment about using cash only is funny. I would rather have my ID stolen online than beaten to death for the $100.00 cash in my pocket. I guarantee that "Paying Cash in PA" cannot get approved for the credit credit card he/she doesn't use.

Everyone is talking about nailing the companies who leak the info, which I understand and agree. But, not one post (that I read) said, 'string up the hackers.'

There should be ZERO tolerance for hackers, virus makers, WAREZ sites, etc. Instead of McAffee, Norton and countless other companies coming up with ways to remove viruses from our computers, someone should develop an actual way to track viruses back to their source. As invasive as the Patriot Act is, i'm frankly surprised that each of our operating systems aren't given an individual code, with each file we generate bearing an unchangable (or deletable) marker. I'm certain the hackers would find a way to strip it out of their computers, but owning a system without the marker information (which windows (or other O.S.'s could scan for and report back to Redmond (as already happens)) could and should be as illegal as owning a car or gun with the serial numbers scratched off.
That's just my uneducated ranting. I'm certain that there are a million better ways to do it. But, as long as we keep persecuting the companies who are trying to balance profitability with security (still no excuse for what happened) instead of going after the hackers, we'll never solve the problems and will only see higher retail prices, as these businesses exact the cost of their 'improved security' from the consumers.

There are three ways how to avoid getting your identity stolen: 1)Use cash all the times; 2)Use a credit card with a limited spending budget amount; 3)Subscribe to a credit report agency

Jail schmail. These bozos won't do any time. Weasel CEOs have weasel lawyers to argue and appeal this to the point of insignificance. The lawyer's fees, which will make the original crime pale by comparison, will be passed on to future customers. Vote with your feet. It's not like any one retailer operates in a vacuum. They're competitors offer the same goods and perhaps with a more secure CC system. Boycott them and take your business somewhere else. If all they're concerned with is the bottom line, wipe it out!

You can bet I won't use my card at a TJMaxx or a Marshall's ever again after just getting my debit card repalaced (my purchase at a Marshall's had been about a year before; why on earth did they have my debit card number still???). And since I rarely carry cash (I know, I know, but "have-cash, will-spend"; it's better for my fianaces to run the risk of plastic than to carry cash burning a hole in my purse all the time), I will rarely visit their stores. Seems pretty simple to me; mess up a customer's account, customer doesn't come back.

To the writer who is considering going back to cash from the ATM and using checks...consider that the use of checks allows for fraud too. I has someone get my routing number and used it to pay his credit card bills...and he was on probation for prior "theft by personification of another"! Checks are no better than ATM cards or credit cards.

I very much agree with my colleague (the IT person a few posts above). Sales and business people are only concerned with profits/sales and assumed that just because the current system has been operational for so long, it will do just fine in the future.
"Just make do" philosophy spells disaster as threats area constantly evolving.
To my experience, middle management is the worst. They like to cover their *sses from every angle possible. Firstly, even if in IT, they'll try to appear concerned about profits/sales while down playing the challenges in their own department. They will take months to talk before attempting even the simplest project. Then they will bring in consultants and take months to pick which consultant will do the job.
The consultant will then underestimate the complexity of the problem, will run pass the deadlines and will generally implement flawed system. Most likely due to the fact that he does not understand the business model and the operational details of the company.
Then someone will hack in and the CEO will have to leave the golf course and try to save face by telling the media how concerned his company is for it's customers.
And even if the CEO needs two IT people to sync his blackberrie, it is still not his fault that mid level management was made out of idiots.
Paying $300 - $360 for credit monitoring per person (for 3 years) should sure make the CEO replace some of the idiots in the IT department with some qualified people. 1 million compromised names ?? $360 million fine should make a fine warning...

As far as cash goes; I had someone try to purchase $5000 worth of merchandise with a "clone" of my ATM card. I rather have that, than being shot or beaten up for the content of my wallet.

Cash Cash Cash! Pay with the green. I stopped using my credit card and checkbook shortly after I lost my job two months ago and darn straight it makes you watch the bottom line. I have a budget so tight, it squeeks. The other point to consider is going after the hackers with serious armament. It may soon be a capital crime to hack a big system and frankly, I'd applaud. Most of these hackers are wise-guy punks who do it to prove that they CAN. Maybe a few executions might change their minds. Or maybe not, as most of them are sociopaths.

Checking fraud has been around longer than Credit Card fraud. Actually, I.D. theft consists of a lot more than those two. Some of your I.D. has probably already been stolen and is just waiting for someone to use it.
Best bet is to get Identity theft protection (IdentiShield). It's cheap and you'll sleep better.

it doesn't matter if you use cash, your identity can be stolen and a crimnal can get the credit card in your name. I love all the people who say 'they never would do their banking online' your account is mostly likely available online anyway.

it doesn't matter if you use cash, your identity can be stolen and a crimnal can get the credit card in your name. I love all the people who say 'they never would do their banking online' your account is mostly likely available online anyway.

I am one of those who got a call from my bank saying my VISA debit card had been compromised. This is the 2nd time this has happened in the past year. And I was told that both times is was TJMaxx's fault!
I'm thinking of going back to writing checks again - after all these years of using the debit card. Things are just getting worse. The more layers of conveneience, the more holes in the security it seems.

Retailers can be the identity theft culprits themselves. Example:

I recently returned something I bought for my daughter at Express in the local mall. I was asked for my drivers license (which I thought was to validate my identity on the card used for the original purchase). The Manager then went and swiped my DL, even though they didn't require it when original purchase was made. I resisted but was told it is store policy to do this else you will not get a refund.

When I objected and brought up the TJMaxx ordeal, I was also told by the store manager that TJMaxx used a cheap system and the Express IT system is much better (how much better is it and what would the store manager know about IT security systems and databases?) I didn't debate it any further and left after a patronizing, and snide "have a nice day" from the manager.

Isn't this a form of corporate identity theft...for a store to demand additional personal info not required at purchase, which will be held on their database combined with your credit card number, also on their database? Makes no sense. This is a result of a true lack of cohesive security strategy between those who set store policy and the IT department.

About a month ago i went to use my Bank of Montreal Debit card and found it had been cancelled i went in to speak with the teller and she told me my card and personal information had been compromised and she showed me my transactions, I instantly saw 2 $500 transactions i had not made long story short they questioned me about it and when i proved it wasn't me they have nothing else to say i got the $1000 back aswell as the NSF charge they had charged me for my rent check bouncing but wont return the other loss money and are acting like its no big deal. so its not just credit card companies,retailers but also banks that are obviously not safe either even though they make $20 BILLION in profit a year

I see no reason why retail stores should hoard their customers credit card info at all. Even with online merchants, they should not leave their customers' credit card numbers in their databases. Once the transaction is cleared and the product has shipped and the agreed upon return policy (usually 30 days after purchase) has expired, the number should be taken out of the database. Of course hackers can still access the data that is within 30 days but it should lessen the amount of data they can get. As mentioned in previous comments, the government need to come up with stiffer fines to hackers who are caught, but of course they have to be caught first, easier said than done.

I wonder, if there is a way to track whose information they hacked. I know one thing for sure, I will NEVER shop at TJ Maxx or Marshal's again. I understand that they aren't the only companies that have been hacked but if they can't even secure their computer network ( something very easy to do) They do not need my business!

I have done many rebates with best buy and they make it as hard as pulling teeth to get your $$$$. they "lose" your paperwork, tell you over the phone they will do things, make you cut all kinds of codes and barcodes off the packaging, ad naseum.