TJX breach involved 45.7m cards, company reports

March 28, 2007

By Jenn Abelson, Boston Globe Staff

At least 45.7 million credit and debit card numbers were stolen by hackers who broke into the computer systems at the TJX Cos. in Framingham and the United Kingdom and siphoned off data over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists.

TJX, the Framingham discounter that operates the T.J. Maxx and Marshalls clothing chains, also reported in a regulatory filing yesterday that another 455,000 customers who returned merchandise without receipts had their personal data stolen, including drivers' license numbers. "It's the biggest card heist ever," said Avivah Litan, vice president of Gartner Inc. "This was obviously done over a long period of time, in many locations. It's done considerable damage."

The filing provided the first detailed accounting on the breach since TJX publicly disclosed the problem in mid-January. TJX spokeswoman Sherry Lang said that about 75 percent of the compromised cards either were expired or had data in the magnetic stripe masked, meaning the data was stored as asterisks, rather than numbers. But the true extent of the damage likely will never be known, Lang said, because of the methods used by the intruder as well as file deletions by TJX done in the normal course of business.

"There's a lot we may never know and it's one of the difficulties of this investigation," Lang said. "It's why this has taken this long and why it's been so tedious. It's painstaking."

The disclosure comes days after a ring of thieves were arrested in Florida and charged with using stolen credit-card numbers to buy more than $8 million worth of gift cards and electronics, allegedly using data from TJX. According to Gainesville, Fla., police, the suspects used the stolen data to make fake credit cards with magnetic stripes containing the real account information of TJX customers and the US Secret service tied the numbers to those that had been pilfered from the retailer.

Customers across the country have reported fraudulent use of their account information from as far away as Asia. The Framingham merchant, which runs more than 2,5000 stores worldwide, is facing an investigation by the Federal Trade Commission and numerous lawsuits from individuals and banks that accuse the company of failing to adequately safeguard private data and delaying disclosure of the breach.

In the filing, TJX for the the first time identified Dec. 18 as the it first learned of suspicious software on its computer system and provided the most extensive timeline to date of the problem. On Dec. 19, the company said it hired General Dynamics Corporate and IBM Corp. to investigate and by Dec. 21, they determined that the computer systems had been intruded and that an intruder remained on the systems. The next day, TJX notified the federal authorities and on Jan. 3, company officials and the US Secret Service met with its contracting banks and payment card and check processing companies to discuss the computer intrusion.

main page ATTRITION feedback