Under Fire, TJX Defends Its Handling of Card Data Breach

Off-price retailer The TJX Cos. Inc. is defending its month-long delay in the disclosure of an intrusion into its network that handles customer payment card data, saying it may have prevented the data breach from becoming worse. TJX discovered the breach in mid-December, but didn't reveal it until Jan. 17. “First and foremost, we were concerned that there would be an expansion of our systems breach,” TJX founder and chairman Bernard “Ben” Cammarata says in a video and “Frequently Asked Questions” statement posted Monday on the TJX Web site, http://www.tjx.com. “By not making a public announcement in December, and with the help of top security experts, we were able to contain the problem and strengthen our computer network to prevent the possibility of further intrusion and of future attacks by the intruder or others like him. Most importantly, our actions greatly reduced the risk for more customer data to be exposed. Therefore, we believe that we were acting in the best interest of our customers. In addition, we maintained confidentiality of the intrusion as requested by law enforcement.” Framingham, Mass.-based TJX still hasn't revealed how many customers had their data compromised, but some reports have estimated it may be as high as 40 million (Digital Transactions News, Jan. 22). A TJX spokesperson did not return a Digital Transactions News call for comment. The intrusions happened in 2003 and from mid-May to mid-December of 2006. It affected part of the corporate network that handles the firm's T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the United States and Puerto Rico, and Winners and HomeSense stores in Canada. It also may have affected the part of the network that handles customer transactions at T.K. Maxx stores in the United Kingdom and Ireland. TJX earlier thought the intrusion may have affected its Bob's Stores in the U.S., but now believes it did not. TJX also now believes the breach did not affect debit cards issued by Canadian banks. The breach has led to calls in Congress to examine data security and to a bill in the Massachusetts legislature to make retailers liable for the costs financial institutions incur for reissuing cards affected by data breaches. The Massachusetts Bankers Association reported last week that the payment card networks have contacted nearly 60 Bay State banks about compromised cards, and some have begun reissuing cards. Fraudulent activity on credit and debit cards issued by Massachusetts banks has occurred in Florida, Georgia, and Louisiana, and in Hong Kong and Sweden, the MBA says. The association cautions the number is likely to go higher, and press reports about suspect transactions in other states are starting to trickle in. In its statement today, TJX reports that it confirmed the intrusion after “an outside consultant advised us in mid-December 2006 of suspicious activity on our computer network.” The company said it immediately hired IBM Corp. and General Dynamics Corp. to investigate. Those companies “found strong reason to believe that we had suffered an intrusion,” TJX says, whereupon TJX informed law-enforcement officials, including the U.S. Department of Justice, the Secret Service and Royal Canadian Mounted Police. Cammarata also defended TJX's decision not to contact customers directly about the breach, saying that most of the data stolen or suspected to have been stolen do not include customer names or addresses. “When customers conduct debit and credit card transactions in our stores, we do not collect their names or addresses,” he said. “Most of the data that may have been compromised in the breach was credit and debit card numbers and expiration dates. Also, we are fairly certain that debit card personal identification numbers, or PINS, were not compromised.” TJX did contact “a relatively small number of customers whose names, addresses, and driver's license numbers” it knows were stolen in the intrusion. The company has set up toll-free help lines for customers in the U.S., Canada, Britain, and Ireland.