UNITED STATES 
`
`NEWS
`TJX data breach: At 45.6M card numbers, it's the biggest ever
`
`It eclipses the compromise in June 2005 at CardSystems Solutions
`
`By Jaikumar Vijayan
`Computerworld |
`MAR 29, 2007 12:00 PM PST
`
`After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more
`
`details about the extent of the compromise.
`
`In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers
`
`were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses
`
`the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever
`
`involving the loss of personal data.
`
`In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003
`
`was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings.
`
`[ Related: How to protect your privacy in Windows 10 ]
`
`"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion,
`
`our investigation has required a substantial period of time to date and is not completed," the company said.
`
`Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob's Stores. In January, the
`company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an
`
`unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland.
`
`At the time, TJX said it believed the intrusion took place in May 2006 but wasn't discovered until mid-December -- seven months later.
`
`A few weeks later, the company revised those dates and said that an investigation by IBM and General Dynamics, two companies it hired
`
`in the wake of the breach discovery, believed the intrusion may have taken place in July 2005.
`
`Several banks and credit unions around the country and in the other affected regions had to block and reissue thousands of payment
`
`cards as a result of the breach.
`
`[ ‘IT has a new ‘It Crowd’: Join the CIO Tech Talk Community ]
`
`

`

`In its filing, TJX confirmed that its systems were first accessed illegally in July 2005 and then on several occasions later in 2005, 2006
`
`and even once in mid-January 2007 -- after the breach had already been discovered. However, no data appears to have been stolen
`
`after Dec. 18, when the intrusion was first noticed.
`
`The systems that were broken into were based in Framingham and processed and stored information related to payment cards, checks
`
`and merchandise returned without receipts. The data breach affected customers of its T.J.Maxx, Marshalls, HomeGoods and A.J. Wright
`
`stores in the U.S. and Puerto Rico. Also affected were customers of its Winners and HomeSense stores in Canada and TK Maxx stores in
`
`the U.K.
`
`It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the
`
`company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to
`
`determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it
`
`was referring to.
`
`Customer names and addresses were not included with any of the payment card data believed stolen from the Framingham systems,
`
`TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for
`
`transactions after September 2003, TJX said. Also by April 3, 2006, the company had begun to mask payment card PIN data and "some
`
`other portions of payment card transaction information" as well as check transaction information, the company said.
`
`"We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the
`
`information provided ... we believe that we may never be able to identify much of the information believed stolen," TJX said.
`
`The company has so far spent about $5 million in connection with the breach, although it is hard to say what other costs may be
`
`incurred, the company warned. It cited several lawsuits that have been filed against it since the breach was announced. The company
`
`was sued recently by the Arkansas Carpenters Pension Fund, one of its shareholders, for its failure to divulge more details about the
`
`breach.
`
`Avivan Litan, an analyst with Stamford,Conn.based Gartner Inc., expressed surprise at the scope of the breach. "I had heard rumors that
`
`it was bigger than CardSystems, but I was still somewhat shocked it was actually this big."
`
`The number involved in the breach "makes this the biggest card heist ever," she said. "It proves there are still very sophisticated
`
`cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems and who have already stolen
`
`millions of dollars from consumers and financial institutions," she said.
`
`"If this isn't a wakeup call for stronger card and payment system security, I'm not sure what is," she said.
`
`TJX's disclosure comes just days after six Florida residents were arrested for allegedly launching a multimillion-dollar statewide credit
`card fraud ring using information stolen from the company. Losses experienced by Wal-Mart Stores Inc. and other retailers because
`
`of the fraud have so far totaled at least $8 million.
`
`Related Articles and Opinion
`
`Stolen TJX data used in Florida crime spree
`
`Breach at TJX Puts Card Info at Risk
`
`Data breach at TJX leads to fraudulent card use
`
`Update: Retail breach may have exposed card data in four countries
`
`Martin McKeay: Guess what, the TJX compromise was bigger than initially revealed
`
`Robert L. Mitchell: Your credit card data may have been compromised. But don't worry.
`
`Jaikumar Vijayan is a freelance technology writer specializing in computer security and privacy topics.
`
`Follow 👤    
`
`

`

`Copyright © 2007 IDG Communications, Inc.
`
`7 inconvenient truths about the hybrid work trend
`
`SHOP TECH PRODUCTS AT AMAZON
`
`SPONSORED LINKS
`dtSearch® - INSTANTLY SEARCH TERABYTES of files, emails, databases, web data. 25+ search types; Win/Lin/Mac SDK;
`hundreds of reviews; full evaluations
`
`Copyright © 2023 IDG Communications, Inc.
`
`