News Stay informed about the latest enterprise technology news and product updates.

TJX says at least 45.7 million card numbers stolen

An analyst says the 45.7 million-plus card numbers stolen in the TJX data breach marks the biggest online heist in history.

TJX Companies Inc. acknowledged Wednesday that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. One analyst said this represents the biggest data breach in history.

The Framingham, Mass.-based retail giant finally gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC). The company also acknowledged that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.

TJX spokeswoman Sherry Lang told The Boston Globe, which first reported the filing Wednesday night, that about 75% of the affected cards had either expired or had data from their magnetic stripes masked, meaning the data was stored as asterisks rather than numbers.

She admitted the full extent of the damage may never be known because of the attackers' methods. According to the Globe, much of the transaction data was deleted by TJX in the normal course of business between the time of the thefts and the time they were discovered, making it impossible to know how many card numbers were obtained.

TJX data breach:
Data breach at TJX could affect millions

TJX gets little sympathy from blogosphere

TJX breach: There's no excuse to skip data encryption

Top IT execs could take heat for TJX breach

Did TJX take the right steps after data breach?

ID theft victim to TJX customers: Mind your data
Avivah Litan, VP of research with Stamford, Conn.-based Gartner Inc., called the TJX breach the largest online burglary ever.

"This was obviously done over a long period of time, in many locations," she told the Globe. "It's done considerable damage."

By comparison, 26.5 million veterans and active duty personnel were affected by the theft of a Department of Veterans Affairs (VA) laptop and external hard drive last year. And in 2005, credit card transaction processor CardSystems Solutions Inc. acknowledged that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more to fraud.

TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions.

The TJX breach was worse than first thought. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, TJX recently admitted that thieves were inside the network several other times, beginning in July 2005. In Wednesday's SEC filing, the company said the stolen data covers transactions dating back even further, to December 2002. The Federal Trade Commission (FTC) is investigating the breach.

TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS), several PCI auditors told recently, and the company will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.

The Massachusetts Bankers Association has reported that several of its member banks have been affected by fraudulent transactions associated with the TJX data breach. The stolen data has reportedly been used to make purchases in Florida, Georgia and Louisiana as well as Hong Kong and Sweden, for example. In addition, credit card issuers have contacted at least 60 banks about compromised cards.

Law enforcement officials in Florida, meanwhile, claim thieves were using customer data from TJX last November for a gift card scheme -- a month before TJX learned of the breach. Police last week charged six people with using the credit card numbers to purchase about $1 million in merchandise with gift cards.

More on data breaches:
Survey: Data breaches difficult to spot, prevent

The cost of privacy safeguards

Podcast: Larry Ponemon on data breaches

Privacy breaches: How to avoid making headlines

Giving notice: Victims lashing out at compromised companies

What keeps information security professionals up at night?

Also last week, the Arkansas Carpenters Pension Fund -- which owns 4,500 shares of TJX stock -- filed a suit against the company under a law permitting shareholders to sue for access to corporate documents in certain cases. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data.

In late January, a West Virginia woman filed a class action lawsuit against the company accusing it of negligence for not doing enough to secure customer data and for keeping quiet about the breach for a month.

Dig Deeper on Data security breaches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.