Hackers stole 45.7 million credit, debit card numbers, TJX says

March 30, 2007|By Jenn Abelson | Jenn Abelson,The Boston Globe

At least 45.7 million credit and debit card numbers were stolen by hackers who accessed the computer systems at the TJX Cos. Inc. at its headquarters in Framingham, Mass., and in the United Kingdom over a period of several years, making it the biggest breach of personal data ever reported, according to security specialists.

Details are still sketchy, but TJX said unauthorized software placed on its computer systems stole at least 100 files containing data on millions of accounts from systems that process and store transaction information in Framingham and Watford, United Kingdom.

Moreover, TJX believes the hackers had the capability last year to steal payment card data from its Framingham system as transactions were being approved. Even the files that TJX tried to protect through encryption might have been compromised because the company believes the hackers had access to the decryption tool.

"It's the biggest card heist ever," said Avivah Litan of technology consulting firm Gartner Inc. "It's done considerable damage."

TJX, the discounter that operates the T.J. Maxx and Marshalls chains, also said in a regulatory filing Wednesday that another 455,000 customers who returned merchandise without receipts had personal data stolen, including driver's license numbers.

The filing provided the first detailed accounting on the breach since TJX publicly disclosed the problem in mid-January. TJX spokeswoman Sherry Lang said about 75 percent of the compromised cards were expired or had data in the magnetic strip masked, meaning the information was stored as asterisks rather than numbers. But the true extent of the damage likely will never be known, Lang said, because of the methods used by the intruder and file deletions by TJX done in the normal course of business.

"We do not know who took this action and whether there were one or more intruders involved," the filing states. "We are engaged in an ongoing investigation of the computer intrusion."

"There's a lot we may never know, and it's one of the difficulties of this investigation," Lang said.

The disclosure Wednesday came days after a ring of thieves was arrested in Florida and charged with using stolen credit card numbers to buy more than $8 million worth of gift cards and electronics, allegedly using data from TJX.

TJX, which runs more than 2,500 stores worldwide, is facing an investigation by the Federal Trade Commission and numerous lawsuits from individuals and banks.

In Wednesday's filing, TJX for the first time identified Dec. 18 as the date when it first learned of suspicious software on its computer system and provided the most extensive timeline to date of the problem. TJX believes that its systems were first accessed in July 2005 and on subsequent dates in 2005 and from mid-May 2006 to mid-January this year. No customer data were stolen after Dec. 18.

On Dec. 19, the company said, it hired General Dynamics Corp. and International Business Machines Corp. to investigate, and by Dec. 21, they determined that a hacker broke into the computer systems and remained active there. The next day, TJX notified the federal authorities, and by Dec. 27 it was confirmed that customer data had been stolen. On Jan. 3, company officials and the U.S. Secret Service met with its contracting banks and payment card and check processing companies to discuss the computer intrusion. On Jan. 13, the company publicly disclosed the breach.

Later that month, TJX presented a briefing to a multistate group of attorneys general and the Federal Trade Commission. Last month, the company found evidence that the intrusion of its systems happened earlier than it previously reported.

TJX said Wednesday that it is sending letters to the estimated 455,000 customers whose driver's license numbers, state identification numbers or military identification numbers and names and addresses were believed to have been stolen. TJX's Lang said the company will offer credit monitoring for customers whose driver's license numbers or state identification numbers are the same as their Social Security numbers.

The security breach has cost the retailer $5 million for the investigation and new computer security, among other efforts, but TJX said it cannot yet estimate total losses.

This case represents one of the most aggressive and widespread data security breaches ever, according to several security specialists. The Federal Trade Commission has struck more than a dozen settlements with businesses after data security breaches.

"These guys perpetrated a perfect crime," Ken Steinberg, chief executive of Savant Protection Inc. a Nashua, N.H., maker of security software, said of the TJX case. "This is what scares the living daylights out of everybody. And this one won't be the last."

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.