TJX Companies Inc. may have stored more customer data than necessary, putting possibly millions of customers at risk for ID theft, according to some in the banking industry.
Meanwhile, one ID theft victim said TJX customers should take an important lesson from this latest data breach: Companies can't always be trusted to protect data, so customers must do a better job tracking the whereabouts of their own information.
"You need to know where your information is going and what steps a company is doing to protect that data," said Rennee Schwartz, a Davenport, Iowa, resident whose credit card information was stolen two years ago. "You have to be more cautious, more astute when reviewing credit card statements. Stay on top of your information and don't wait until it's too late."
Framingham, Mass.-based TJX acknowledged Wednesday that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The intrusion may involve customers of its T.K. Maxx stores in the U.K. and Ireland and could also extend to TJX's Bob's Stores in the U.S., the company said.
The discovery was made in December, but the retailer said investigators asked to delay an immediate announcement of the breach during the initial part of the investigation.
Following the TJX announcement, banking officials expressed concern about the scope of the data breach. The Massachusetts Bankers Association, for example, told The Boston Globe that credit-card companies informed 28 of its member banks that some cardholders may have been affected by the breach, and that the number will probably grow.
Daniel J. Forte, president of the banking trade group, suggested that TJX might have been holding onto customer data that shouldn't have been kept around. He noted that under credit-card network rules, retailers aren't supposed to store information after they confirm a person's identity and account balance. "After the transaction clears, there is no reason to store any data," he told the Globe.
Forte did not immediately respond to a phone request for additional comment, nor did TJX spokeswoman Sherry Lang.
ID theft victim speaks out
While Schwartz's case wasn't tied to a company data breach like the one TJK suffered, she was still unsettled by the news and sympathizes with those whose credit card data might have been compromised.
"You use credit cards online because it's convenient, and then you discover it's not so convenient," she said. "You expect a company to protect its customers' data and it's disconcerting when you discover that's not happening. We're also dealing with a new caliber of thief that steals online."
Schwartz and her husband learned their information had been compromised when one of their credit card providers reported suspicious purchases being made on the Internet with her card number.
"Someone got hold of the credit card number and spent a little over $1,000 on computer items -- routers, broadband and membership subscriptions for online computer publications and services," she said.
While she doesn't know for certain how her data was compromised, Schwartz is pretty confident the problem was tied to the Xbox Live program her son was using via her home computer.
"To play programs on Xbox live, our firewall had to be turned off, so we were wide open," she said. "I knew the firewall had to come down and didn't like it. My son was supposed to put it back up after using the program but must have forgotten at some point. In hindsight, though, the damage may have been done while he was using the program."
She believes someone exploited that weakness and accessed the credit card number used specifically for the Xbox Live program, which was stored online.
"The person who did this wasn't very sophisticated," she said. "They were out for some hit-and-miss items, the goal being to buy a few things."
The incident left her feeling vulnerable and less trusting of online commerce. She also suffered with the hassle of getting another credit card and notifying companies who took payments from the old credit card once a month.
After cleaning up the mess, Schwartz took steps to ensure she wouldn't be victimized again. For starters, the Xbox program is no longer used on the computer where she keeps personal data. She also changes her password more frequently now, and will only use one credit card for online transactions instead of the two she used to use. She also checks her online credit card statements more doggedly to make sure there are no suspicious charges.
She decided to tell her story so that others might take steps to protect themselves after sharing her experience with a friend who works for the Fraud Resource Group.
The Fraud Resource Group investigates and works to prevent online fraud. One of the weapons it tries to direct people toward is a product from Edison, N.J.-based security vendor StrikeForce Technologies Inc. called GuardedID, which is designed to encrypt data so it can't be harvested by keyloggers.
While such tools could go along way in protecting people from ID theft, Schwartz said it's most important to pay attention to what companies are doing with their customer's data.
"People think this can't happen to them. But it can happen to anyone," she said.