Data breach at TJX could affect millions

By Robert Westervelt, News Editor 18 Jan 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The company said an attacker exploited a flaw in a portion of TJX's computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The intrusion may involve customers of its T.K. Maxx stores in the U.K. and Ireland and could also extend to TJX's Bob's Stores in the U.S., the company said.

Data breach: How to survive a data breach Complying with breach notification laws Column: Federal government pushes full-disk encryption Survey: Data breach costs surge News: Data breach at Boeing exposes 382,000 employees News: Hacker exploits UCLA database Column: Schneier: Data breach at UCLA barely newsworthy

The discovery was made in December, but the retailer said investigators asked to delay an immediate announcement of the breach during the initial part of the investigation.

Customers who shopped in the stores in 2003 and from mid-May to December, 2006 may have been affected, the company said. TJX said it has been able to specifically identify a limited number of credit card and debit card holders whose information was removed from the system.

The company said that "a relatively small number" of customer names and drivers' license numbers were also removed from its system. Those customers are being contacted directly.

The Company also hired consultants from General Dynamics Corp. and IBM to provide assistance in monitoring and evaluating the intrusion, assessing possible data compromise, and seeking to identify affected information. The consultants are also helping bolster TJX computer systems with security upgrades, the company said.

"We have also engaged two of the very best computer security experts to help us strengthen the security of our systems in order to prevent this from happening again and we believe customers should feel safe shopping in our stores," said Ben Cammarata, chairman and acting CEO of the company in an alert to customers on its Web site.

A special helpline is in place for TJX customers who have questions about the data breach. Customers may reach the helpline toll-free at 866-484-6978 in the United States, 866-903-1408 in Canada, and 0800 77 90 15 in the United Kingdom and Ireland.

Data breaches have been making headlines in 2006. In December, a hacker gained access to a computer system at the University of California, Los Angeles. About 800,000 potential victims were notified. Aircraft giant Boeing Co. also said in December that a company-owned laptop containing the personally identifiable information of nearly 400,000 of its employees and former workers was stolen.

According to a list posted by the watchdog group, Privacy Rights Clearing House, dozens of breaches have taken place in recent months. While, the UCLA breach was one of the largest involving a U.S. higher education institution, businesses have been grappling with data protection and notification of breaches.

In August, AT&T notified about 19,000 customers that their personal data was compromised after digital miscreants hacked one of its computer systems and gained access to credit card information and other personal data. In late 2005, a timeshare unit of Marriott International Inc. notified over 200,000 customers that a data on backup tapes were stolen.

Tags: Identity Theft and Data Security Breaches,  Enterprise Data Governance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary