Theft of 45.6M Card Numbers Largest Heist Yet

Computerworld - After more than two months of refusing to reveal the size and scope of the high-profile intrusion into its systems, The TJX Companies Inc. finally disclosed details about the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission last week, the company said 45.6 million credit and debit card numbers were stolen from two of its systems over a period of more than 18 months by an unknown number of intruders.

That total eclipses the 40million records compromised in the mid-2005 breach at the former CardSystems Solutions Inc., and makes the TJX incident the worst publicly disclosed compromise involving the loss of personal card data.

In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 people in 2003 was also stolen, the filing said.

Disappearing Data

Top Commercial Card Data Breaches in U.S. •  The TJX Companies Inc. - 46.5 million •  CardSystems Solutions Inc. - 40 million •  iBill Internet - 17.8 million •  BJs Wholesale Club Inc. - 8 million •  Circuit City Stores Inc. - 2.6 million Source: Privacy Rights Clearinghouse

Avivah Litan, an analyst at Gartner Inc., expressed surprise at the scope of the breach. “I had heard rumors that it was bigger than CardSystems, but I was still somewhat shocked it was actually this big.”

The number of stolen records “makes this the biggest card heist ever,” Litan said. “It proves there are very sophisticated cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems. If this isn’t a wake-up call for stronger card and payment system security, I’m not sure what is.”

In its filing, TJX said it is in the process of contacting individuals affected by the breach.

“Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed,” the company said.

Framingham, Mass.-based TJX, the owner of T.J. Maxx, Marshalls and Bob’s Stores, disclosed inJanuary that someone had illegally accessed one of its payment systems and stolen card data from an unspecified number of customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland.

At the time, TJX said it believed the intrusion took place in May 2006 but wasn’t discovered until mid-December — seven months later. A few weeks after its initial disclosure of the breach, the company said that an investigation by IBM and General Dynamics Corp. had concluded that the intrusion may have taken place in July 2005.