March 29, 2007 9:28 AM PDT

TJX says 45.7 million customer records were compromised

By Dawn Kawamoto
Staff Writer, CNET News

Related Stories

T.J. Maxx parent company sued in credit card hack probe

 March 21, 2007

T.J. Maxx probe finds broader hacking

 February 21, 2007

T.J. Maxx hack exposes consumer data

 January 18, 2007
TJX Companies said 45.7 million accounts were compromised over nearly a two-year period, in an update Wednesday of an investigation into a data breach of customer records.

The scope of the breach, which was initially disclosed in January, is far wider than previously believed.

"This is the largest security breach we've ever had worldwide," said Avivah Litan, an analyst with research firm Gartner. "There was a case at CardSystems where 40 million records were exposed, but this one looks like it was a case where the information was stolen."

TJX, which operates such discount retail chains as T.J. Maxx and Marshalls in the U.S., released additional details of the breach in a filing with the Securities and Exchange Commission.

In its filing, TJX noted cyberthieves first accessed its computer systems in July 2005 and installed software to harvest such sensitive customer information as account information, names and addresses, drivers' license numbers and military and state identification. The breach continued through mid-January 2007.

Accounts and transactions affected included credit and debit card transactions, as well as checks and returned merchandise without receipts at the company's Marshalls, T.J. Maxx, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Credit card transactions at TJX's Winners and HomeSense stores in Canada, as well as credit and debit card transactions at its T.K. Maxx stores in Ireland and the U.K. were also compromised.

TJX rang up a pre-tax charge of $5 million in the fourth quarter to deal with the computer breach, which included the costs associated with investigating the issues, improving its security systems and notifying customers.

Those costs are likely to increase, given the multiple lawsuits customers have filed and investigations launched by a number of government agencies. According to the SEC filing, a multistate investigation is currently under way that encompasses 30 states, and the Federal Trade Commission is also reviewing whether TJX violated laws pertaining to consumer protection. In Canada, several privacy commissioner offices in various provinces are also reviewing the matter.

The security breach involving CardSystems, a third-party processor of payment data for banks and merchants, resulted in the exposure of credit card numbers for 40 million accounts--a figure comparable to the TJX case. Other notable cases include data broker ChoicePoint, which affected an estimated 145,000 Americans, and the University of California at Los Angeles, in which 800,000 people had their information compromised after a security breach.

In the case of TJX, Litan suspects it was a case where attackers gained access through a wireless regional hub for the company's store controllers that handle the point-of-sale system. From there, the attackers may have been able to work their way into TJX's central system, she noted.

"Most retailers aren't looking at their point-of-sale system," Litan said. "Most enterprises tend to forget about the devices hanging off of their networks. What happened here may not be all that uncommon."

See more CNET content tagged:
debit card, breach, CardSystems Solutions Inc., security breach, investigation

Add a Comment (Log in or register) 3 comments
30% Of Working Population!!!
by Stating March 29, 2007 12:12 PM PDT
Forty five million people is about 1/3 of the current U.S. workforce. So look to your co-worker on your left, your co-worker on your right, and know that one of you will have your financial life made a living hell by TJ Hacks for the next 10 years.

Shop at retail stores? My advice is to buy with cash for any tranaction under $100. This will also save you from the retail stores 35% credit card rates too. Stores will hate you for this -- Mervyn's tries to shill me into signing up for their CC every time I buy something, but screw them!
Reply to this comment
pathetic security
by lleather March 29, 2007 12:58 PM PDT
Their primary data center should've been protected from something like this, and every IT professional knows that wireless is the easy way into every network. A wireless connection is how hackers got into Microsoft several years ago. A MS employee was working from home with an open wireless connection - what an idiot. TJX should fire their entire IT department and start over.
Reply to this comment
The intrusion detection illusion
by Schratboy March 30, 2007 7:38 AM PDT
What's the matter? All the greatest IDS/IPS appliances, Firewalls, Anti-malware crap in-place and the company still got exploited? I'm not surprised.

IT managers are basically lazy. They spend huge dollars on control devices, train users and stick them in the control room. The signature baselines take care of the majority of mundane issues and people just basically don't care. The equipment was bought to do most of the work. The same story happens over and over again.

Exploits occur through laziness and over-reliance on technology. If nobody understands what is normal on the network how can you tell what's abnormal? Today's hacks are subtle and take advantage of holes in processes, technology and by exploiting social conditions. No signature can identify and threat if it isn't programmed to do so! HELLO!

Big appliances and big dollar expenditures are the life blood for most large company IT managers. They need to justify their salaries, staff and budgets and continue to pile box after box into their premises. Are the more secure? Yes, but at a considerably inflated cost.

IMHO, it's a very simple matter of clearly defining what should be on the network, coming in and going out, on every port and noting every protocol. In so doing the anomalies tend to stand out much more easily than simply trying to control everything. You can't spend your way to a secure network.
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right

  • Nanotech: The Circuits Blog

    Intel ships low-power chips for servers

    New server chips from processor giant draw as little as 12.5 watts per core.

  • Gallery

    Photos: Top 10 reviews of the week

    Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.

  • Speeds and feeds

    Clever commercial, Comcast...but you're wrong

    Cable company is taken to task over a misleading advertisement about how its high-definition programming compares with that of satellite TV provider DirecTV.

  • Coop's Corner

    Chris Shipley 1, Internet lynch mob 0

    Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.

  • Video

    Katie Couric reflects on first Webcast

    The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.

  • News - Digital Media

    Want top search results? Tread carefully

    In the business of promoting Web sites to top search results, some push limits to find what tricks are allowed. But there's evidence the trade is getting more respectable.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Gaming and Culture

    Say Where brings voice recognition to iPhone apps

    Forthcoming iPhone app from Dial Directions aims to give users a way to get information from sites like Yelp, MapQuest and others by speaking instead of typing.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Images: The art of 'Spore' prototypes

    Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.

  • Crave

    Wireless Sony photo frame shoots for Vaio design

    Photo frame looks, feels, and smells like a Vaio, which should go matchingly well with the rest of your Vaio collection.

  • Green Tech

    TI does energy efficiency on a chip

    Its line of Piccolo microcontrollers can reduce power consumption significantly of home appliances, hybrid cars, LED lighting, and even solar panels.

advertisementDon't rip & replace. VoIP as you are
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Dell
PlayStation 3
Wii
Windows Vista
CNET sites
CNET TV
Downloads
Forums
News
Reviews
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET