Theft of 45.6M Card Numbers Largest Heist Yet

Jaikumar Vijayan

April 02, 2007 (Computerworld) After more than two months of refusing to reveal the size and scope of the high-profile intrusion into its systems, The TJX Companies Inc. finally disclosed details about the extent of the compromise.

In filings with the U.S. Securities and Exchange Commission last week, the company said 45.6 million credit and debit card numbers were stolen from two of its systems over a period of more than 18 months by an unknown number of intruders.

That total eclipses the 40million records compromised in the mid-2005 breach at the former CardSystems Solutions Inc., and makes the TJX incident the worst publicly disclosed compromise involving the loss of personal card data.

The systems that were broken into were located at TJX’s Framingham, Mass., headquarters. The theft is the worst on record involving personal data.

In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 people in 2003 was also stolen, the filing said.

Avivah Litan, an analyst at Gartner Inc., expressed surprise at the scope of the breach. “I had heard rumors that it was bigger than CardSystems, but I was still somewhat shocked it was actually this big.”

The number of stolen records “makes this the biggest card heist ever,” Litan said. “It proves there are very sophisticated cybercriminals out there at large who have the potential to wreak havoc on pure-payment systems. If this isn’t a wake-up call for stronger card and payment system security, I’m not sure what is.”

In its filing, TJX said it is in the process of contacting individuals affected by the breach.

“Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed,” the company said.

Framingham, Mass.-based TJX, the owner of T.J. Maxx, Marshalls and Bob’s Stores, disclosed inJanuary that someone had illegally accessed one of its payment systems and stolen card data from an unspecified number of customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland.

At the time, TJX said it believed the intrusion took place in May 2006 but wasn’t discovered until mid-December — seven months later. A few weeks after its initial disclosure of the breach, the company said that an investigation by IBM and General Dynamics Corp. had concluded that the intrusion may have taken place in July 2005.

TJX has confirmed that its systems were first accessed in July 2005 and then on several more occasions in 2005, 2006 and even in mid-January 2007 — after the breach was discovered. However, no data appears to have been stolen after Dec. 18, when the intrusion was first noticed, it said.

The systems that were broken into, which were located at the company’s headquarters, processed and stored data related to payment cards, checks and merchandise returned without receipts.

The data breach affected customers of TJX’s T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Also affected were customers of its Winners and HomeSense stores in Canada and TK Maxx stores in the U.K., the company said.

The filing said the company is having difficulty determining exactly what kind of data was stolen, because a lot of the data is deleted by TJX in the normal course of business.

“In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” the company said. It did not identify the technology.

Customer names and addresses were not included with any of the card data believed stolen from the Framingham systems, TJX said.

The company said that by April 3, 2006, it had begun to mask payment card personal identification number data, “some other portions of payment card transaction information” and check transaction data.

The company reported that it has spent about $5million in connection with the breach. It warned that potential future costs are still undetermined and noted that several lawsuits have been filed against it since the breach was announced.

One TJX shareholder, the Arkansas Carpenters Pension Fund, recently sued the company for its failure to divulge more details about the breach.

TJX’s disclosure came just days after six Florida residents were arrested and charged with launching a multimillion-dollar statewide credit card fraud ring using information stolen from the company. Losses experienced by Wal-Mart Stores Inc. and other retailers due to the fraud have so far totaled at least $8 million.