TJX Reports Wider Breach, But No Data on Affected Accounts

Off-price retailer TJX Cos. Inc. on Wednesday divulged more information about the intrusion into its computer network that contained credit and debit card data, but one piece of information still eludes public disclosure: the actual number of accounts compromised. Earlier estimates put the figure as high as 40 million (Digital Transactions News, Jan. 22), but industry sources say nothing is confirmed yet. “It's all been conjecture,” says Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc. “My take is that nobody really knows.” A spokesperson for Framingham, Mass.-based TJX, owner of the T.J. Maxx, Marshalls, HomeGoods, A.J. Wright, and Bob's Stores chains in the U.S. as well as others in Canada, the United Kingdom, and Ireland, did not return a call for comment. And a spokesperson for the Massachusetts Attorney General's office, which is leading a 30-plus-state investigation into the breach, had no number to disclose this morning. “That's one of the things that our investigation is looking into,” she says. Banks around the country have begun reissuing cards in response to the breach, and fraud on affected accounts has been reported in the U.S and abroad. In a press release issued in conjunction with its fiscal fourth-quarter 2007 earnings report, TJX said the intrusion happened about a year earlier than the May 2006 to January 2007 timeframe it earlier believed. “TJX now believes its computer system was also intruded upon in July 2005 and on various subsequent dates in 2005,” the release says. “TJX continues to believe there was no compromise of customer data after mid-December 2006.” The release also says that in addition to the customer data previously reported as compromised, TJX now believes data involving credit and debit card transactions at its U.S., Puerto Rican, and Canadian stores, excluding transactions on debit cards issued by Canadian banks, from January 2003 through June 2004 were compromised. The company previously reported that the 2003 data might have been accessed. “For most of the transactions from September 2003 through June 2004, some of the card information was masked at the time of the transaction, making that portion unavailable to the intruder,” the release says. “Names and addresses were not included with the credit and debit card data believed compromised.” TJX doesn't believe debit card PINs and Bob's Stores transaction data were compromised. When it announced the breach Jan. 17, TJX said some drivers' license data had been compromised. Today the company said it has found more drivers' license numbers together with related names and addresses have been compromised. Those data were associated with unreceipted merchandise returns in the U.S. and Puerto Rico in the last four months of 2003 and May and June of 2004. The company also said it has found evidence of an intrusion into the part of its computer system that processes customer transactions for its T.K. Maxx stores in the U.K. and Ireland. While TJX suspects data may have been compromised, it hasn't yet confirmed any unauthorized access to or actual theft of data. In the release, TJX president and chief executive Carol Meyrowitz said the merchant has a “large team of people” working on the case and that the company has “strengthened the security” of its network. After it discovered the intrusion, TJX hired General Dynamics Corp. and IBM Corp. to help it investigate the incident and upgrade its security. “Based on everything we have done, I believe customers should feel safe shopping in our stores,” Meyrowitz said. The bad news from TJX follows the recent disclosure by Stop & Shop Supermarket Cos. that credit and debit card account data and PINs had been stolen at in-lane PIN pads in two Rhode Island stores (Digital Transactions News, Feb. 20). The devices had reportedly been tampered with to obtain the data. The grocery chain also said it had detected suspicious activity at four other stores in Rhode Island and Massachusetts. In its earnings report, TJX said it does not yet have enough information to estimate potential losses from the breach. The company in the fiscal fourth quarter ended Jan. 27 did take a 1-cent per-share charge, or approximately $5 million, in breach-related expenses.