This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
4. - Bonus content: Events in PCI DSS history: Read more in this section
- Lack of guideline uniformity puts Visa merchants in quandary
- Swiping back: Praise for PCI Data Security Standard
- New PCI Council details changes to Data Security Standard
- TJX breach worse than originally feared
- PCI DSS assessors see lessons in TJX data breach
- First Data CISO calls for PCI DSS changes
- PCI DSS: The bar should not be lowered
- PCI Council adds new standard for payment applications
- In FTC settlement, TJX agrees to 20 years of audits
- PCI SSC launches assessor quality assurance program
- Expert predicts PCI DSS problems for retailers
- Heartland breach highlights PCI DSS limitations
- TJX, Heartland hacker sentenced to 20 years in prison
- PCI DSS 2.0 addresses secure coding, key management
- PCI DSS risk assessment methodology unique to each company
Explore other sections in this guide:
Until now, the company believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation has turned up evidence that the thieves also were inside the network several other times, beginning in July 2005.
Officials also said that the scope of the data accessed in the attacks is larger than they had previously disclosed. TJX originally said the thieves had access to a "relatively small number" of drivers license numbers and customer names. Now, however, it turns out that number is larger than company officials thought last month, although they're not saying exactly how large.
The company also disclosed that more credit card and debit card data was at risk. Customers who used their cards at the company's stores between January 2003 and June 2004 are now known to be at risk, as well.
TJX also discovered that the portion of its network that processes transactions at its stores in England and Ireland had been compromised, but they have not found any evidence that the crackers accessed customer data.
TJX officials emphasized that the investigation into the attacks is still ongoing and that more information on which data was accessed when could be forthcoming.
"Our investigation is ongoing and we are providing an update today on new developments. We are dedicating substantial resources to investigating and evaluating the intrusion, which, given the nature of the breach, the size and international scope of our operations, and the complexity of the way credit card transactions are processed, is, by necessity, taking time," said Carol Meyrowitz, president and CEO of TJX, based in Framingham, Mass. "We value our customers' trust and I want our customers to know that I am deeply committed to continuing to address the security of our computer systems."
The TJX breach first came to light in late January, although company officials had discovered it a month earlier. The company has been working with law enforcement agencies and security experts to assess the scope of the attacks and potential damage.