The data breach at TJX Cos. that exposed sensitive credit and debit card data on an unknown number of customers occurred nearly seven months before it was detected, a company spokeswoman said today.
The breach occurred as far back as mid-May 2006 but was discovered only in mid-December, said company spokeswoman Debra McConnell. The original statement from Framingham, Mass.-based TJX announcing the data compromise last week mentioned only the discovery of the breach in December and made no reference to when the breach actually happened.
McConnell said the decision not to mention when the breach happened did not represent an "inconsistency" in the company's public reporting of the incident. "We had said in our press release that we had discovered the breach in mid-December but we did not put in when it occurred," she said.
McConnell did not provide details on the scope of the breach but reiterated the company's earlier statement that credit and debit card information belonging to "a limited number" of individuals had been stolen from the compromised system. "And by 'limited' we mean substantially less than millions," she said.
Meanwhile, a Canadian law firm, the Merchant Law Group, filed a class-action lawsuit against Winners and HomeSense, two TJX-owned retailers in Canada whose customers were affected by the breach.
The lawsuit was filed in courts in six Canadian provinces and seeks "financial recovery on behalf of all individuals for whom personal information has been revealed," a statement posted on the company's Web site said.
"There's a variety of issues, from the negligence of these companies to protect credit-card information to issues of violations of privacy legislation and other legislation that protect personal information in Canada," said Evatt Merchant a partner at the law firm.
"In terms of corrective action, there would have to be safeguards to make sure this didn't happen again, and damages have to be assessed on a classwide basis, though obviously that is something that is a bit downstream," right now, he said. He added that public response to the lawsuits has been "significant."
McConnell said TJX had no comment on the lawsuit.
TJX said last Wednesday that an "unauthorized intruder" had gained access to its system and may have stolen credit and debit card data belonging to an unspecified number of customers in the U.S., Canada and Puerto Rico, and possibly in the U.K. and Ireland.
The retailer, which owns discount retail chains including TJ Maxx, Marshalls and Bob's Stores, didn't disclose the number of shoppers that may have been affected by the breach, saying that the full extent of the data theft "is not yet known."
The compromised data included so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards. Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion. The storage of such information by retailers is forbidden under the Payment Card Industry (PCI) data security standard rules being pushed by the major credit card companies.
So far, about 50 banks in Massachusetts alone have been affected by the TJX breach, according to a spokesman at the Massachusetts Bankers Association.
Ryan Fisher, senior risk manager at Madison, Wis.-based CUNA Mutual Group, which insures about 5,500 credit unions, said that while the scope of the breach is unknown, it appears to have had an impact on a substantial number of credit unions as well.
"The sense is that it is widespread," he said. "We do see multiple credit unions in different regions impacted," he said.
The fact that some of the compromised data included Track 2 data is very disappointing, he said. There is also a "certain level of disappointment" that credit card companies have not been enforcing the standards more effectively, he said.