The Truston Identity Theft blog has an interesting analysis of TJX's actions. The post covers two important points. The first is what I call "yield:" the number of ID-theft victims that opt-in for a company's free credit monitoring offer:
"They (TJX) offer credit monitoring to just 10% of the total breach number (455,000) and then announce a retail sale at the same time. If they require the victims to opt-in and order the monitoring to get it, then they will likely only have to pay for around 20–30% of the 455,000 they are offering it to. That’s a rule of thumb in the industry for the typical number of people that opt-in for free victim support for credit monitoring. So, 45 million accounts are breached and maybe TJ Maxx ends up paying for services for 90,000–135,000 people."
Wow! What a slick move to minimize responsibility. In my opinion, total sleaze.
Now the second point: synthetic ID-theft. This is when the identity thief mixes one person's SS# with another person's name in an attempt to evade detection. The Truston blog references Ed Dickson's Fraud, Phishing, and Financial Misdeeds blog:
"One thing that concerns me is that the settlement offer states that one of the requirements to receive compensation will be that the identification number compromised has to match their Social Security number. I guess that TJX and their affiliates don't want to address the rising phenomenon of synthetic identity theft? When synthetic identity theft is committed different parts of a persons identity are crafted to create a new one."
Ed also provides some good background on the shady world of re-selling personal data:
"In the identity theft world -- which is what the concern about this data breach is all about, when a SSN or SIN (in Canada) is compromised -- the criminal compromising the information has all the information necessary to complete a full identity assumption. In the dark world of Internet forums that sell this information, a complete identity (SSN, or SIN included) is often referred to as a "full." The complete information on a person is simply worth a little more money to the criminals purchasing it."