TJX Companies, US parent company of the TK Maxx chain of
discount retail outlets, has admitted that the details of at least
45.7 million credit and debit cards were stolen over an 18-month
period by hackers who managed to
penetrate its network.
The retail giant finally gave a tally of the damage in a
regulatory filing with the US Securities and
Exchange Commission (SEC). The company also acknowledged
that another 455,000 customers who returned merchandise without
receipts were robbed of their driver's licence numbers and other
personal information.
TJX spokeswoman Sherry Lang told The Boston Globe, which first
reported the filing on 28 March, that about 75% of the affected
cards had either expired or had data from their magnetic stripes
masked, meaning the data was stored as asterisks rather than
numbers.
She admitted the full extent of the damage may never be known
because of the attackers' methods. According to the Globe, much of
the transaction data was deleted by TJX in the normal course of
business between the time of the thefts and the time they were
discovered, making it impossible to know how many card numbers were
obtained.
Avivah Litan, VP of research with Gartner described the
incident TJX breach the largest online burglary ever and the
biggest data breach in history. "This was obviously done over a
long period of time, in many locations," Gartner's Avivah Litanshe
was reported in the Boston Globe, saying. "It's done considerable
damage."
TJX acknowledged in January that an attacker
exploited a flaw in a portion of its computer network that
handles credit card, debit card, check, and merchandise return
transactions.
The TJX breach was
worse than first thought. The company initially believed that
attackers had access to its network between May 2006 and January
2007. However, TJX recently admitted that thieves were inside the
network several other times, beginning in July 2005. In Wednesday's
SEC filing, the company said the stolen data covers transactions
dating back even further, to December 2002. The Federal Trade
Commission (FTC) is investigating the breach.
TJX
violated some of the basic tenets of the PCI
Data Security Standard (PCI DSS), several PCI auditors told
SearchSecurity.com recently, and the company will pay a heavy
financial price. They said companies should study the TJX
security breach for clear lessons on what not to do with
customer data.
The Massachusetts Bankers Association has reported that
several of its member banks have been affected
by fraudulent transactions associated with the TJX data
breach. The stolen data has reportedly been used to make
purchases in Florida, Georgia and Louisiana as well as Hong Kong
and Sweden, for example. In addition, credit card issuers have
contacted at least 60 banks about compromised cards.
Law enforcement officials in Florida, meanwhile, claim thieves
were using customer data from TJX last November for a gift card
scheme -- a month before TJX learned of the breach. Police last
week charged six people with using the credit card numbers to
purchase about $1 million in merchandise with gift cards.
Also last week, the
Arkansas Carpenters Pension Fund -- which owns
4,500 shares of TJX stock -- filed a suit against the
company under a law permitting shareholders to sue for
access to corporate documents in certain cases. The pension fund
wants the records to see whether TJX's board has been doing its
job in overseeing the company's handling of customer data.
In late January, a West Virginia woman filed a
class action lawsuit against the company accusing it of
negligence for not doing enough to secure customer data and for
keeping quiet about the breach for a month.