T.J. Maxx Probe Reveals Data Breach Worse Than Originally Thought - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

T.J. Maxx Probe Reveals Data Breach Worse Than Originally Thought

The retailer's parent company believes portions of the credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores from January 2003 through June 2004 were compromised.

The theft of customer data from TJX Companies' retail stores is worse than originally thought, the parent company of T.J. Maxx, Marshalls, HomeGoods, and others acknowledged Wednesday in a statement.

An ongoing investigation into the security breach has revealed that, while the company previously believed that the intrusion took place from May 2006 to January 2007, TJX now believes its computer system was maliciously hacked in July 2005 and on various subsequent dates in 2005.

Even worse, the company now believes portions of the credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores -- excluding debit card transactions with cards issued by Canadian banks -- from January 2003 through June 2004 were compromised. TJX, whose assets include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods locations, had previously reported that the 2003 transaction data had potentially been accessed.

For most of the transactions from September 2003 through June 2004, some of the card information was masked at the time of the transaction, making that portion unavailable to the intruder, the company said in a statement. Further, names and addresses weren't included with the credit and debit card data believed to have been stolen. Debit card PINs, information from transactions at Bob's Stores, and transactions made with debit cards issued by Canadian banks aren't believed to have been compromised.

This bad news about the data breach comes amidst TJX's report Wednesday of strong financials for fiscal 2007, ended Jan. 27. Revenue for fiscal 2007 was $17. 4 billion, up 9% from the previous fiscal year. Profits for fiscal 2007 were $738 million, up from $690.4 million in fiscal 2006. The earnings, however, included a fourth-quarter charge of 1 cent per share, or about $4.5 million, related to the hack, including the costs to investigate and contain the intrusion, enhance computer security, and communicate with customers. TJX says it learned of the data breach in mid-December but, at the request of law enforcement, didn't make news of the attack public. The company has since hired General Dynamics and IBM to evaluate the intrusion and identify affected data.

"We are dedicating substantial resources to investigating and evaluating the intrusion, which, given the nature of the breach, the size and international scope of our operations, and the complexity of the way credit card transactions are processed, is, by necessity, taking time," TJX CEO and president Carol Meyrowitz said in a statement.

TJX also believes that additional drivers' license numbers, along with the related names and addresses, were compromised for the last four months of 2003 and May and June 2004. TJX collected this information when T.J. Maxx, Marshalls, and HomeGoods customers in the United States and Puerto Rico attempted to make merchandise returns without a receipt. TJX has also likely run afoul of the Payment Card Industry Data Security Standard created by Visa and MasterCard, as a number of documents sent by Visa to financial institutions that issue cards and manage Visa transactions indicate TJX was storing credit and debit card data in violation of the standard.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Slideshows
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
Commentary
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
News
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
Register for InformationWeek Newsletters
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll