TJX Companies Inc. acknowledged Wednesday that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. One analyst said this represents the biggest data breach in history.
The Framingham, Mass.-based retail giant finally gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC). The company also acknowledged that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.
TJX spokeswoman Sherry Lang told The Boston Globe, which first reported the filing Wednesday night, that about 75% of the affected cards had either expired or had data from their magnetic stripes masked, meaning the data was stored as asterisks rather than numbers.
She admitted the full extent of the damage may never be known because of the attackers' methods. According to the Globe, much of the transaction data was deleted by TJX in the normal course of business between the time of the thefts and the time they were discovered, making it impossible to know how many card numbers were obtained.
"This was obviously done over a long period of time, in many locations," she told the Globe. "It's done considerable damage."
By comparison, 26.5 million veterans and active duty personnel were affected by the theft of a Department of Veterans Affairs (VA) laptop and external hard drive last year. And in 2005, credit card transaction processor CardSystems Solutions Inc. acknowledged that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more to fraud.
TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions.
The TJX breach was worse than first thought. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, TJX recently admitted that thieves were inside the network several other times, beginning in July 2005. In Wednesday's SEC filing, the company said the stolen data covers transactions dating back even further, to December 2002. The Federal Trade Commission (FTC) is investigating the breach.
TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS), several PCI auditors told SearchSecurity.com recently, and the company will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.
The Massachusetts Bankers Association has reported that several of its member banks have been affected by fraudulent transactions associated with the TJX data breach. The stolen data has reportedly been used to make purchases in Florida, Georgia and Louisiana as well as Hong Kong and Sweden, for example. In addition, credit card issuers have contacted at least 60 banks about compromised cards.
Law enforcement officials in Florida, meanwhile, claim thieves were using customer data from TJX last November for a gift card scheme -- a month before TJX learned of the breach. Police last week charged six people with using the credit card numbers to purchase about $1 million in merchandise with gift cards.
Also last week, the Arkansas Carpenters Pension Fund -- which owns 4,500 shares of TJX stock -- filed a suit against the company under a law permitting shareholders to sue for access to corporate documents in certain cases. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data.
In late January, a West Virginia woman filed a class action lawsuit against the company accusing it of negligence for not doing enough to secure customer data and for keeping quiet about the breach for a month.