TJX data breach: At 45.6M card numbers, information technology's the biggest ever

It eclipses the compromise in June 2005 at CardSystems Solutions

Computerworld |

After more than two months of refusing to reveal the size and scope of its information breach, TJX Companies Inc. is finally offering more details almost the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit bill of fare numbers were stolen from one of its systems over a period of more xviii months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst always involving the loss of personal data.

In improver, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the alienation, TJX said in its filings.

"Given the calibration and geographic telescopic of our business organization and computer systems and the time frames involved in the figurer intrusion, our investigation has required a substantial period of time to date and is non completed," the company said.

Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob'south Stores. In January, the visitor appear that someone had illegally accessed one of its payment systems and made off with carte du jour information belonging to an unspecified number of customers in the U.Southward., Canada, Puerto Rico and potentially the U.Thou. and Ireland.

At the time, TJX said it believed the intrusion took place in May 2006 just wasn't discovered until mid-December -- seven months later. A few weeks later, the company revised those dates and said that an investigation past IBM and General Dynamics, two companies it hired in the wake of the breach discovery, believed the intrusion may take taken place in July 2005.

Several banks and credit unions around the country and in the other affected regions had to block and reissue thousands of payment cards as a issue of the breach.

In its filing, TJX confirmed that its systems were commencement accessed illegally in July 2005 and so on several occasions later in 2005, 2006 and fifty-fifty one time in mid-January 2007 -- later the breach had already been discovered. Even so, no information appears to take been stolen afterwards Dec. 18, when the intrusion was offset noticed.

The systems that were broken into were based in Framingham and processed and stored information related to payment cards, checks and trade returned without receipts. The data breach afflicted customers of its T.J.Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.Due south. and Puerto Rico. Also affected were customers of its Winners and HomeSense stores in Canada and TK Maxx stores in the U.G.

Information technology is hard to know exactly what kind of information was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business organization. "In addition, the technology used by the intruder has, to date, made it incommunicable for us to make up one's mind the contents of most of the files we believe were stolen in 2006," the visitor said. Information technology did non elaborate on the applied science information technology was referring to.

Client names and addresses were not included with whatsoever of the payment card data believed stolen from the Framingham systems, TJX said. Also, the company "generally" did not store Track ii data from the magnetic stripe on the back of payment cards for transactions subsequently September 2003, TJX said. Likewise by April 3, 2006, the company had begun to mask payment menu PIN data and "another portions of payment card transaction information" as well as check transaction information, the company said.

"We are continuing to try to identify information stolen in the calculator intrusion through our investigation, but other than the information provided ... we believe that we may never be able to identify much of the information believed stolen," TJX said.

The visitor has then far spent about $v 1000000 in connection with the breach, although information technology is hard to say what other costs may be incurred, the company warned. It cited several lawsuits that have been filed against it since the breach was announced. The company was sued recently by the Arkansas Carpenters Alimony Fund, one of its shareholders, for its failure to divulge more details about the alienation.

Avivan Litan, an analyst with Stamford,Conn.based Gartner Inc., expressed surprise at the scope of the alienation. "I had heard rumors that it was bigger than CardSystems, but I was even so somewhat shocked it was really this big."

The number involved in the alienation "makes this the biggest carte du jour heist ever," she said. "Information technology proves there are still very sophisticated cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems and who have already stolen millions of dollars from consumers and financial institutions," she said.

"If this isn't a wakeup call for stronger card and payment system security, I'm not sure what is," she said.

TJX'due south disclosure comes just days after six Florida residents were arrested for allegedly launching a multimillion-dollar statewide credit carte fraud band using information stolen from the company. Losses experienced by Wal-Mart Stores Inc. and other retailers because of the fraud take so far totaled at least $viii million.

Related Articles and Opinion

  • Stolen TJX data used in Florida criminal offence spree
  • Breach at TJX Puts Card Info at Risk
  • Data breach at TJX leads to fraudulent card utilise
  • Update: Retail alienation may have exposed menu information in four countries
  • Martin McKeay: Guess what, the TJX compromise was bigger than initially revealed
  • Robert L. Mitchell: Your credit carte du jour information may have been compromised. Just don't worry.

Jaikumar Vijayan is a freelance applied science author specializing in figurer security and privacy topics.

Copyright © 2007 IDG Communications, Inc.