Hackers steal info on 45.7 mil. consumers
By Mark Jewel BOSTON, AP
March 31, 2007, 12:00 am TWN
A hacker or hackers stole data from at least 45.7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information in the United States.
For the first time since disclosing the theft more than two months ago, the parent company of nearly 2,500 discount stores across North America and the United Kingdom put a number on how much card data was compromised — and the number could go higher, TJX Cos. acknowledged. Affected customers were found as far away as Sweden and Hong Kong.
Experts say TJX's disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption.
"It's not clear when information was deleted, it's not clear who had access to what, and it's not clear whether the data kept in all these files was encrypted, so it's very hard to know how big this was," said Deepak Taneja, chief executive of Aveksa, a firm that advises companies on information security.
The case has led banks to reissue cards to customers as a precaution against further fraud, according to the Massachusetts Bankers Association, which is tracking fraud reports linked to TJX.
TJX is the parent company of stores including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright in the U.S., Winners and HomeSense in Canada and T.K. Maxx in Britain.
The only arrests believed tied to the case involve a gift card scam in which 10 people are suspected of buying data from the TJX hackers to buy Wal-Mart gift cards in northern Florida. The group — who are not believed to have committed the TJX hack — used the cards to buy US$1 million (euro750,000) worth of electronics and jewelry at Wal-Mart's Sam's Club stores, according to Florida police.
Information from at least 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the U.S. Securities and Exchange Commission after business hours Wednesday. TJX did not estimate the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003, to June 28, 2004.
TJX said about three-quarters of the 45.7 million cards had either expired at the time of the theft, or the stolen information did not include security code data from the cards' magnetic stripes. Starting in September 2003, TJX began masking the codes by storing them in computers as asterisks rather than numbers, the company said.
The filing also said another 455,000 customers who returned merchandise without receipts had their data stolen, including driver's license numbers.
With at least 46 million consumer records accessed, the TJX case outranks the previous largest case tracked by the Privacy Rights Clearinghouse: a June 2005 disclosure by credit card processor CardSystems that hackers accessed accounts of 40 million card holders.