TJX data breach: At 45.6M card numbers, it's the biggest ever
It eclipses the compromise in June 2005 at CardSystems Solutions
Computerworld - After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise.
In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data.
In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings.
"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said.
Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob's Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland.
At the time, TJX said it believed the intrusion took place in May 2006 but wasn't discovered until mid-December -- seven months later. A few weeks later, the company revised those dates and said that an investigation by IBM and General Dynamics, two companies it hired in the wake of the breach discovery, believed the intrusion may have taken place in July 2005.
Several banks and credit unions around the country and in the other affected regions had to block and reissue thousands of payment cards as a result of the breach.
In its filing, TJX confirmed that its systems were first accessed illegally in July 2005 and then on several occasions later in 2005, 2006 and even once in mid-January 2007 -- after the breach had already been discovered. However, no data appears to have been stolen after Dec. 18, when the intrusion was first noticed.
The systems that were broken into were based in Framingham and processed and stored information related to payment cards, checks and merchandise returned without receipts. The data breach affected customers of its T.J.Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Also affected were customers of its Winners and HomeSense stores in Canada and TK Maxx stores in the U.K.
Massive data thefts
- Update: Mastermind of TJX, Heartland breaches to plead guilty
- Alleged data-heist kingpin is a computer addict, lawyer says
- Gonzalez's lawyer to contend he was not the kingpin of Heartland, Hannaford breaches
- Hacking kingpin negotiating plea deal with feds
- Three indicted for hack attacks on Heartland, Hannaford
- TJX data breach: At 45.6M card numbers, it's the biggest ever
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts