The company said an attacker exploited a flaw in a portion of TJX's computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The intrusion may involve customers of its T.K. Maxx stores in the U.K. and Ireland and could also extend to TJX's Bob's Stores in the U.S., the company said.
The discovery was made in December, but the retailer said investigators asked to delay an immediate announcement of the breach during the initial part of the investigation.
Customers who shopped in the stores in 2003 and from mid-May to December, 2006 may have been affected, the company said. TJX said it has been able to specifically identify a limited number of credit card and debit card holders whose information was removed from the system.
The company said that "a relatively small number" of customer names and drivers' license numbers were also removed from its system. Those customers are being contacted directly.
The Company also hired consultants from General Dynamics Corp. and IBM to provide assistance in monitoring and evaluating the intrusion, assessing possible data compromise, and seeking to identify affected information. The consultants are also helping bolster TJX computer systems with security upgrades, the company said.
"We have also engaged two of the very best computer security experts to help us strengthen the security of our systems in order to prevent this from happening again and we believe customers should feel safe shopping in our stores," said Ben Cammarata, chairman and acting CEO of the company in an alert to customers on its Web site.
A special helpline is in place for TJX customers who have questions about the data breach. Customers may reach the helpline toll-free at 866-484-6978 in the United States, 866-903-1408 in Canada, and 0800 77 90 15 in the United Kingdom and Ireland.
Data breaches have been making headlines in 2006. In December, a hacker gained access to a computer system at the University of California, Los Angeles. About 800,000 potential victims were notified. Aircraft giant Boeing Co. also said in December that a company-owned laptop containing the personally identifiable information of nearly 400,000 of its employees and former workers was stolen.
According to a list posted by the watchdog group, Privacy Rights Clearing House, dozens of breaches have taken place in recent months. While, the UCLA breach was one of the largest involving a U.S. higher education institution, businesses have been grappling with data protection and notification of breaches.
In August, AT&T notified about 19,000 customers that their personal data was compromised after digital miscreants hacked one of its computer systems and gained access to credit card information and other personal data. In late 2005, a timeshare unit of Marriott International Inc. notified over 200,000 customers that a data on backup tapes were stolen.