The Federal Trade Commission (FTC) confirmed Monday that it's investigating the massive data breach at TJX Companies Inc. that exposed millions of customers to potential identity fraud.
The FTC isn't releasing documentation related to its investigation despite a request for information by The Boston Globe. The commission told the newspaper in a March 8 letter that "disclosure of that material could reasonably be expected to interfere with the conduct of the Commission's law enforcement activities."
TJX spokeswoman Sherry Lang told the Globe that the company is cooperating with the FTC.
Framingham, Mass.-based TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions.
The TJX breach was worse than first thought, TJX officials admitted last week. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation has turned up evidence that the thieves also were inside the network several other times, beginning in July 2005.
TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS), several PCI auditors told SearchSecurity.com recently, and the company will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.