Update: Retail breach may have exposed card data in four countries

TJX discloses network intrusion, says full extent of info theft not yet known

The credit and debit card data of a large number of shoppers in the U.S., Puerto Rico and Canada, and possibly in the U.K and Ireland, may have been compromised as the result of a hacking incident at The TJX Companies Inc. last month.

According to a statement issued today by the Framingham, Mass.-based retailer, the network intrusion took place in mid-December and involved systems used to process credit, debit, check and merchandise-return transactions at its TJ Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S and Puerto Rico.

Also affected was customer transaction data from TJX's Winners and HomeSense stores in Canada, the company said. Data collected at its T.K. Maxx stores in the U.K and Ireland, and at its Bob's Stores unit in the U.S. may have been put at risk as well.

"While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known," the company said in its statement.

Credit and debit card data involving transactions processed during 2003 and between May and December of last year may have been accessed as part of the intrusion, according to TJX. The company said that thus far, it has identified "a limited number" of card holders whose data was removed from its systems. All major card brands accepted by TJX have been affected, including Visa, MasterCard, American Express and Discover.

In addition, the retailer said it has identified "a relatively small number" of customers whose driver's license information was also stolen from the compromised systems. No information was released on the total number of people that might have been affected by the breach. Neither did TJX disclose any details on how exactly the intruder gained access to the systems and the data.

TJX said it has hired IBM and General Dynamics Corp. to "monitor and evaluate" the intrusion, and to help the company identify the extent of the data compromise. Both vendors also are helping TJX shore up its security following the breach, the retailer said without specifying what measures have been taken in that regard.

The company added that it has notified the U.S. Department of Justice and Secret Service, and the Royal Canadian Mounted Police, of the data breach and "provided all assistance requested" by the law enforcement agencies in an attempt to help track down the perpetrators. The major credit card companies have been notified as well.

In an e-mailed statement, Rosetta Jones, a vice president at Visa U.S.A. Inc., said the credit card company is working with law enforcement officials and TJX to investigate the compromise.

"Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers," Jones said. "In addition, Visa is risk-scoring all transactions in real time, helping card issuers better distinguish fraudulent transactions from legitimate ones."

MasterCard today, in an e-mailed statement, said that in response to the TJX breach, the company has instructed the banks that issued the cards to monitor accounts for suspicious activity.

"We will continue to both monitor this event and take steps to safeguard account information," the company said.

TJX has set up toll-free numbers for customers who may have concerns regarding the breach. U.S.-based customers can call 866-484-6978. The number for customers in Canada is 866-903-1408, while those in the U.K. and Ireland can call 0800-77-90-15.

The breach at TJX appears to be the most significant one at a retailer since a compromise at an unidentified company -- widely believed to be OfficeMax Inc. -- led to a worldwide outbreak of debit card fraud last March. As a result of that incident, banks and credit unions, including Bank of America Corp., Wells Fargo Bank and Washington Mutual Bank, were forced to cancel and reissue tens of thousands of cards.

Since then, the credit card companies have been aggressively trying to get retailers to adopt the Payment Card Industry Data Security Standard, which requires all entities handling credit and debit card data to implement different levels of prescribed security measures based on the number of transactions they process each year.

A major component of the PCI standard is a requirement that forbids retailers from storing credit and debit card data on point-of-sale systems. All retailers must ensure that their POS systems are purged of such information, which includes magnetic stripe, PIN and card verification value data, by next September.

The breach is sure to lend urgency to efforts by the major credit card companies to get retailers to implement PCI requirements, said Avivah Litan, an analyst with Gartner Inc. in Stamford, Conn. So far about 50% of Tier 1 merchants -- those processing more than 6 million credit card transactions per month —- are fully compliant with PCI though more than 18 months have passed since the requirements went into effect, she said.

TJX is a Tier 1 merchant and may even qualify to be a processor — and thereby have more stringent security requirements -- because of the sheer number of transactions it handles through its franchises and affiliates, she said. "I expect the credit card companies to come down really hard on this company" for its failure to protect customer data, she said.

Related Articles and Opinion

Copyright © 2007 IDG Communications, Inc.

  
Shop Tech Products at Amazon