TJX, the parent company of T.J. Maxx, Marshall's, and other retailers, disclosed in a Securities and Exchange Commission filing last week that more than 45 million credit and debit card numbers may have been stolen from its IT systems over an 18-month period, making it the largest customer data breach on record. TJX revealed the cybertheft in January but had declined to provide details. The SEC filing indicates a company with haphazard data security practices, at best.
TJX doesn't know "whether there was one continuing intrusion or multiple, separate intrusions," according to the filing. TJX discovered the break-in on Dec. 18, and it most likely dates back to July 2005. The cyberthieves may have stolen card data from TJX's Framingham, Mass., computer system during the approval process, in which payment data is transmitted to card issuers without being encrypted.
TJX recorded a fourth-quarter charge of about $5 million to cover the costs of containing and investigating the breach, as well as improving the security of its IT systems, communicating with customers, and paying legal fees. The Federal Trade Commission has launched an investigation of TJX, and lawsuits have begun to fly, including one by the Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock.