T.J. Maxx Parent Company Data Theft Is The Worst Ever - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
3/29/2007
01:11 PM
50%
50%
RELATED EVENTS
[Best Practices] Managing Multiple Clouds
Jul 26, 2017
Putting all your eggs in one cloud basket is risky, because clouds are not immune to denials of se ...Read More>>

T.J. Maxx Parent Company Data Theft Is The Worst Ever

The intrusion hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve.

TJX Co., the parent company of T.J. Maxx and other retailers, on Wednesday dropped a bombshell in its ongoing investigation of a customer data breach by announcing in a Securities and Exchange Commission filing that more than 45 million credit and debit card numbers have been stolen from its IT systems. Information contained in the filing reveals a company that had taken some measures over the past few years to protect customer data through obfuscation and encryption. But TJX didn't apply these policies uniformly across its IT systems and as a result still has no idea of the extent of the damage caused by the data breach.

As a result, TJX is a company under siege. The company recorded a fourth-quarter charge of about $5 million to cover the costs of containing and investigating the breach, as well as improving the security of its IT systems, communicating with customers, and paying legal fee. The U.S. Federal Trade Commission has launched an investigation of TJX. While the FTC wouldn't reveal the nature of the investigation or when it began, it's likely the result of the data breach. And lawsuits have begun to fly, including one by the Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock.

The intrusion into TJX's IT systems also hands the retailer the dubious honor of surpassing the 40 million stolen customers record mark, something that only CardSystems had been able to achieve. And it puts to shame the Veterans Affairs Department, which last year briefly lost track of more than 26 million records thanks to a stolen employee laptop.

The effects of the stolen TJX data, not to mention the underground cybercriminal economy that trades in customer data, already are being felt. General Dynamics, IBM, TJX, and the various law enforcement entities investigating the cyberattack still don't know who took the customer information, but it's clear where some of that information ended up. Data stolen from TJX recently surfaced at Wal-Mart stores in Florida, where it's been used to help thieves steal about $8 million in merchandise from Wal-Mart stores. The thieves used the stolen TJX customer data to create dummy credit cards for purchasing Wal-Mart and Sam's Club gift cards, and then used those to hit stores in 50 of Florida's 67 counties.

TJX claims it also doesn't know "whether there was one continuing intrusion or multiple, separate intrusions," according to the SEC filing. What the company does know is that on Dec. 18, it learned of suspicious software on its computer systems. By Dec. 21, "there was strong reason to believe that our computer systems had been intruded upon and that an intruder remained on our computer systems," the filing says. Given that the intruder was still operating, U.S. Secret Service advised TJX officials that disclosure of the suspected intrusion might impede their criminal investigation and requested that the company keep a lid on the incident until law enforcement gave them the green light to announce the breach.

The company disclosed the breach on Jan. 17, only to later find that that the intrusion may have been initiated earlier than it had originally reported and that additional customer information potentially had been stolen. Based on the investigation to date, it's believed that TJX's computer systems were first accessed by an unauthorized intruder in July 2005, on subsequent dates in 2005, and from mid-May 2006 to mid-January 2007, but that no customer data were stolen after Dec. 18.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll