You are on page 1of 7

A hacker or hackers stole data from at least 45.

7 million credit and debit cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information. For the first time since disclosing the theft more than two months ago, the parent company of nearly 2,500 discount stores put a number on how much card data was compromised — and it’s a number TJX Cos. acknowledges could go still higher. Experts say TJX’s disclosures in a regulatory filing late Wednesday revealed security holes that persist at many firms entrusted with consumer data: failure to promptly delete data on customer transactions, and to guard secrets about how such data is protected through encryption. “It’s not clear when information was deleted, it’s not clear who had access to what, and it’s not clear whether the data kept in all these files was encrypted, so it’s very hard to know how big this was,” said Deepak Taneja, chief executive of Aveska, a Waltham, Mass.-based firm that advises companies on information security. The case has led banks to reissue cards to customers as a precaution against further fraud beyond cases detected as far away as Sweden and Hong Kong, according to the Massachussets Bankers Association, which is tracking fraud reports linked to Framingham, Mass.-based TJX, parent company of stores across North America and the United Kingdom. The only arrests believed tied to the case involve a gift card scam in which 10 people are suspected of buying data from the TJX hackers to purchase Wal-Mart gift cards in northern Florida. The group — who aren’t believed to have committed the TJX hack — then used the cards to buy $1 million worth of electronics and jewelry at Wal-Mart’s Sam’s Club stores, according to Gainesville, Fla., police. Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the Securities and Exchange Commission after business hours Wednesday. TJX did not estimate the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003, to June 28, 2004. Advertise TJX said about three-quarters of the 45.7 million cards had either expired at the time of the theft, or the stolen information didn’t include security code data from the cards’ magnetic stripes. Starting in September 2003, TJX began masking the codes by storing them in computers as asterisks rather than numbers, the company said. The filing also said another 455,000 customers who returned merchandise without receipts had their data stolen, including driver’s license numbers. With at least 46 million consumer records accessed, the TJX case outranks the previous largest case tracked by the Privacy Rights Clearinghouse: a June 2005 disclosure by credit card processor CardSystems that hackers accessed accounts of 40 million card holders.

” One reason for that. spokesman for the Massachusetts Bankers Association.” said Bruce Spitzer. often hackers in other countries. 18.” Givens said. TJX didn’t find out about the breach until last Dec. and may never be able to know. were deleted. On Jan. she said. when data is transmitted to the card issuer without encryption.” involving thieves who buy stolen data from others.” TJX spokeswoman Sherry Lang said. said Taneja. Lang said the company was investigating why information stolen earlier in 2003 wasn’t routinely deleted. “It’s been all over the world. TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from transactions dating to January 2003. TJX also remains uncertain of the theft’s size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it. 2003. “It’s the downstream transactions we’ve been hearing about. . Deleting such information after transactions “should be standard practice” to guard against theft. 60 of the 205 banks in the state association reported they had been contacted by credit card companies about cards that had been compromised. which is why this investigation has been so laborious. “This one could be considered a worst-case scenario. is because of TJX’s disclosure Wednesday that it believes the hacker or hackers “had access to the decryption tool for the encryption software utilized by TJX. TJX’s filing says the company “does not know who took this action. and whether there were one or more intruders involved. The next time the association conducts such a survey. TJX says the monthlong delay in disclosing the breach allowed it to work with security experts to contain the problem. Spitzer expects “it will be near 100 percent” based on recent reports from member banks. when it learned of “suspicious software on our computer systems.” The company then hired outside investigators and notified federal authorities before issuing a Jan. 17 news release. “There is a lot of information we don’t know. TJX said in the filing that “substantially all stolen data” from transactions in the period Nov. to June 28. 24.Clearinghouse director Beth Givens said her San Diego-based consumer advocacy organization’s list includes data breaches disclosed after a 2003 California law required companies to notify consumers. the security expert. but many firms nevertheless don’t follow through. The TJX case “will probably serve as a case study for computer security and business students for years to come. 2004. 24.” Advertise How far scams like the one in Florida may have spread because of the TJX breach is unknown.” TJX also said the hacker or hackers used technology last year that could have enabled them to steal card data during the approval process.

. .J.K. HomeGoods and A. Wright in the U. Marshalls. Maxx. TJX faces an investigation by the Federal Trade Commission.S. Maxx in Britain. and lawsuits accusing the firm of failing to safeguard private data.A spokesman for the American Bankers Association said the group had not been tracking such data.J. TJX is the parent company of stores including T. which could fine the company. Winners and HomeSense in Canada and T.

Focus was given to revamping older inner city stores or relocating them.K.J.[4] The company modified the name to T. women's and children's apparel and shoes.000 stores.[3] The company is part of the TJX Companies. Contents      1 History o 1. is an American department store chain owned by TJX Companies.[6] The freehold to the land is owned by the Crown Estate which had the final decision over allowing the company to move into the unit. as well as other areas such as toys. Maxx is a major clothes retailer in the United States.2 Data theft 2 Charity work 3 See also 4 Notes 5 External links History This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources.[2] By the end of 2012. there were 343 stores in Europe. Maxx. Incorporated". a rival discount department store.[8] T.J. Under the name T. With more than 1.[7] The decision was met with condemnation from publicist Max Clifford who launched a campaign in conjunction with Look magazine to persuade the Crown Estate to allow the store to open in the unit.T. accessories and home products ranging from furniture to kitchen utensils. sometimes referred to as TJ's. formerly used by Virgin Megastores and later Zavvi. The first European store opened in Bristol in 1994. T.858 m2) unit. Maxx began a slowing down of new store openings within the UK.K. Unsourced material may be challenged and removed. which also owns HomeGoods/HomeSense. and Winners in Canada. It offers men's.[5] In 2003. Maxx became locked in a dispute over its plans to open a store at Piccadilly Circus.1 2007 credit card fraud o 1. as a nameplate of the Zayre discount department store chain.55 million a year rent. The Crown Estate rejected the plans. with a £1. as Dutch retailer The Sting has now taken the building as their first UK store. (March 2009) In 1976.000-square-foot (1. When Zayre sold their own nameplate to Ames.K. T. Maxx to avoid "confusion with the established British retail chain TJ Hughes (which is not affiliated with TJX)". Maxx was founded in Framingham. and 'off-price' retail chains Marshalls in the United States and Canada.K. This decision led to the creation .K. It had signed an agreement in February 2009 to occupy a 20. Ireland. Germany and Poland. T. bath and beauty. saying that it did not fit in with the strategy it had for the site which was meant to give the area an upmarket appeal.J. T. Zayre was renamed as "TJX Companies. Maxx went to court to appeal against the decision but failed. Maxx it operates stores throughout the United Kingdom. MA.[9] In 2007. London.

Maxx opened its first central London store on High Street Kensington.  T. a new department store format that saw T.K.  Interior of TK Maxx on Gracechurch Street. T.of the Maxx Maxx concept. on the site formerly occupied by Habitat. UK stores ceased to charge for carrier bags.K.[12] As from early 2011.[10] The chain hopes that this will be more successful than the company's earlier attempt at opening stores in the Netherlands between 1999 and 2001. London.  TK Maxx & HomeSense joint store in the MetroCentre.[11] In March 2009 its e-commerce site was launched at first only selling handbags. London. Gateshead. The range of products has now been expanded and includes other accessories. Maxx get away from its budget reputation into a large store format with a wider product range. as the public reaction to charging was the number one customer services complaint. In August 2008. The first store in Germany opened on 4 October 2007 in Lübeck. . Maxx on Gracechurch Street.K.

[18] The T. including T. Maxx's losses as a result of the data breach may reach £800 million in the years to come.7 million customers to potential theft from their accounts. children and families in need. having been the sole retailer of the Red Nose Day t-shirts which generated £2 million for the Comic Relief .[13] Details were stolen by hackers installing software via wi-fi[14] in June 2005 that allowed them to access personal information on customers. Maxx supports the Save the Children campaign and each store adopts a child to help support. Maxx store in Torrance. Albert Gonzalez.[15] Eleven people from around the world were charged with the breach in 2008. The breach continued until January 2007.J. the company disclosed a computer security breach dating back to 2005. In March 2010.K.25 million. CA.3 million to support U.S. In 2005. a computer hacker. The “Happy Hearts” initiative launched in 2000 has raised over $4. The losses would come as a result of paying for credit checks and administrative costs for managing the fallout from the breach. was sentenced to 20 years in federal prison after confessing to stealing credit and debit card details from a number of companies. Maxx.J.J. A typical T.K. According to the company this affected customers who used their card between January 2003 and June 2004 at any branch of T.[19] Charity work Every year.Maxx. T. Maxx was an active participant of Comic Relief.J.K. Details of customers' credit cards and debit cards were accessed by computer hackers.[16] Outside security provider Protegrity has estimated that T.[17] Data theft Main article: International credit card data theft In 2007. 2007 credit card fraud In March 2007. exposing 45. they raised over $1. the company was at the centre of major credit card fraud which affected its international operations. Hackers gained access to information on more than 45 million credit and debit card accounts for transactions since January 2003.[citation needed] In the UK in 2007. T. Maxx Corporation was sued by the Massachusetts Bankers Association and coplaintiffs including Maine and Connecticut Associated Banks for the data theft.

K. T. £3000.703 m2) site near Elmstead Market. Maxx has reduced by 73% since the scheme was launched.[20] In 2009.K.K. The usage of carrier bags from T.589. manager job swap.K.[2 . Essex. T.[21] In concurrence with Red Nose Day 2011.000 new trees on a 15 acres (60.cause. Maxx also worked with the Woodland Trust by starting to charge for plastic carrier bags in August 2008 and donating the proceeds to the Trust. Since 2004. The proceeds have allowed the Woodland Trust to plant 30. T. non-uniform day. each T.g. e. raising a total of £3. bun sales.g. Each store tries to raise the target by staff doing tasks e. Maxx was again the sole retailer of the Red Nose Day t-shirts with exclusive designs by Stella McCartney.200. official t-shirt sales and many other ideas. Maxx has held a Christmas card recycling scheme in conjunction with the Trust. Maxx is set a target by the company to raise.K.