PCI 3.0 special report: Reviewing the state of payment card compliance
A comprehensive collection of articles, videos and more, hand-picked by our editors
After a month of investigation, officials at TJX Companies Inc. said Wednesday that the massive data breach the company disclosed in January is even worse than they originally thought.
Until now, the company believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation has turned up evidence that the thieves also were inside the network several other times, beginning in July 2005.
Officials also said that the scope of the data accessed in the attacks is larger than they had previously disclosed. TJX originally said the thieves had access to a "relatively small number" of drivers license numbers and customer names. Now, however, it turns out that number is larger than company officials thought last month, although they're not saying exactly how large.
The company also disclosed that more credit card and debit card data was at risk. Customers who used their cards at the company's stores between January 2003 and June 2004 are now known to be at risk, as well.
TJX also discovered that the portion of its network that processes transactions at its stores in England and Ireland had been compromised, but they have not found any evidence that the crackers accessed customer data.
TJX officials emphasized that the investigation into the attacks is still ongoing and that more information on which data was accessed when could be forthcoming.
"Our investigation is ongoing and we are providing an update today on new developments. We are dedicating substantial resources to investigating and evaluating the intrusion, which, given the nature of the breach, the size and international scope of our operations, and the complexity of the way credit card transactions are processed, is, by necessity, taking time," said Carol Meyrowitz, president and CEO of TJX, based in Framingham, Mass. "We value our customers' trust and I want our customers to know that I am deeply committed to continuing to address the security of our computer systems."
The TJX breach first came to light in late January, although company officials had discovered it a month earlier. The company has been working with law enforcement agencies and security experts to assess the scope of the attacks and potential damage.