The credit and debit card data of a large number of shoppers in the US, Puerto Rico and Canada, and possibly in the UK and Ireland, may have been compromised as the result of a hacking incident at The TJX Companies last month.
According to a statement issued on 17 January 2007 by the retailer, the network intrusion took place in mid-December 2006 and involved systems used to process credit, debit, check and merchandise-return transactions at its TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US and Puerto Rico.
Also affected was customer transaction data from TJX’s Winners and HomeSense stores in Canada, the company said. Data collected at its TK Maxx stores in the UK and Ireland, and at its Bob’s Stores unit in the US may have been put at risk as well.
“While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known,” the company said in its statement.
Credit and debit card data involving transactions processed during 2003 and between May and December of last year may have been accessed as part of the intrusion, according to TJX. The company said that thus far, it has identified “a limited number” of card holders whose data was removed from its systems. All major card brands accepted by TJX have been affected, including Visa, MasterCard, American Express and Discover.
In addition, the retailer said it has identified “a relatively small number” of customers whose driver’s license information was also stolen from the compromised systems. No information was released on the total number of people that might have been affected by the breach. Neither did TJX disclose any details on how exactly the intruder gained access to the systems and the data.
TJX said it has hired IBM and General Dynamics to “monitor and evaluate” the intrusion, and to help the company identify the extent of the data compromise. Both vendors also are helping TJX shore up its security following the breach, the retailer said without specifying what measures have been taken in that regard.
The company added that it has notified the US Department of Justice and Secret Service, and the Royal Canadian Mounted Police, of the data breach and “provided all assistance requested” by the law enforcement agencies in an attempt to help track down the perpetrators. The major credit card companies have been notified as well.
In an emailed statement, Rosetta Jones, a vice-president at Visa US, said the credit card company is working with law enforcement officials and TJX to investigate the compromise. “Visa has provided the affected accounts to financial institutions so they can take steps to protect consumers,” Jones said. “In addition, Visa is risk-scoring all transactions in real time, helping card issuers better distinguish fraudulent transactions from legitimate ones.”
A call seeking comment from MasterCard International hadn’t been returned as of posting time.
TJX has set up toll free numbers for customers who may have concerns regarding the breach. US-based customers can call 866-484-6978. The number for customers in Canada is 866-903-1408, while those in the UK and Ireland can call 0800-77-90-15.
The breach at TJX appears to be the most significant one at a retailer since a compromise at an unidentified company – widely believed to be OfficeMax – led to a worldwide outbreak of debit card fraud in March 2006. As a result of that incident, banks and credit unions, including Bank of America, Wells Fargo Bank and Washington Mutual Bank, were forced to cancel and reissue tens of thousands of cards.
Since then, the credit card companies have been aggressively trying to get retailers to adopt the Payment Card Industry Data Security Standard, which requires all entities handling credit and debit card data to implement different levels of prescribed security measures based on the number of transactions they process each year.
A major component of the PCI standard is a requirement that forbids retailers from storing credit and debit card data on point-of-sale (POS) systems. All retailers must ensure that their POS systems are purged of such information, which includes magnetic stripe, PIN and card verification value data, by September 2007.