Update: Retail breach may have exposed card data in four countries

Computerworld - The credit and debit card data of a large number of shoppers in the U.S., Puerto Rico and Canada, and possibly in the U.K and Ireland, may have been compromised as the result of a hacking incident at The TJX Companies Inc. last month.

According to a statement issued today by the Framingham, Mass.-based retailer, the network intrusion took place in mid-December and involved systems used to process credit, debit, check and merchandise-return transactions at its TJ Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S and Puerto Rico.

Also affected was customer transaction data from TJX's Winners and HomeSense stores in Canada, the company said. Data collected at its T.K. Maxx stores in the U.K and Ireland, and at its Bob's Stores unit in the U.S. may have been put at risk as well.

"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the company said in its statement.

Credit and debit card data involving transactions processed during 2003 and between May and December of last year may have been accessed as part of the intrusion, according to TJX. The company said that thus far, it has identified "a limited number" of card holders whose data was removed from its systems. All major card brands accepted by TJX have been affected, including Visa, MasterCard, American Express and Discover.

In addition, the retailer said it has identified "a relatively small number" of customers whose driver's license information was also stolen from the compromised systems. No information was released on the total number of people that might have been affected by the breach. Neither did TJX disclose any details on how exactly the intruder gained access to the systems and the data.

TJX said it has hired IBM and General Dynamics Corp. to "monitor and evaluate" the intrusion, and to help the company identify the extent of the data compromise. Both vendors also are helping TJX shore up its security following the breach, the retailer said without specifying what measures have been taken in that regard.

The company added that it has notified the U.S. Department of Justice and Secret Service, and the Royal Canadian Mounted Police, of the data breach and "provided all assistance requested" by the law enforcement agencies in an attempt to help track down the perpetrators. The major credit card companies have been notified as well.

In an e-mailed statement, Rosetta Jones, a vice president at Visa U.S.A. Inc., said the credit card company is working with law enforcement officials and TJX to investigate the compromise.