Retail giant TJX has, after two months, has finally offered details of an enormous data breach it made public in January. The discount clothes store owns the TKMaxx chain in the UK.
In filings with the US Securities and Exchange Commission on Wednesday, the company said 45.6m credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders.
That number eclipses the 40m records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data.
In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings.
"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said.
In January, TJX announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the US, Canada, Puerto Rico and potentially the UK and Ireland.
At the time, TJX said it believed the intrusion took place in May 2006 but wasn't discovered until mid-December -- seven months later. A few weeks later, the company revised those dates and said that an investigation by IBM and General Dynamics, two companies it hired in the wake of the breach discovery, believed the intrusion may have taken place in July 2005.
Banks and credit unions had to block and reissue thousands of payment cards as a result of the breach.
In its filing, TJX confirmed that its systems were first accessed illegally in July 2005 and then on several occasions later in 2005, 2006 and even once in mid-January 2007 -- after the breach had already been discovered. However, no data appears to have been stolen after 18 December 2006, when the intrusion was first noticed.
The systems that were broken into processed and stored information related to payment cards, cheques and merchandise returned without receipts. The data breach affected customers of its TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US and Puerto Rico. Customers of TK Maxx in the UK and Winners and HomeSense stores in Canada were also affected.
It is hard to know exactly what kind of data was stolen because a lot of the information accessed by intruders was deleted by the company in the normal course of business. "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," the company said. It did not elaborate on the technology it was referring to.
Customer names and addresses were not included with any of the payment card data believed stolen from the systems, TJX said. Also, the company "generally" did not store Track 2 data from the magnetic stripe on the back of payment cards for transactions after September 2003, TJX said.
By 3 April 2006, the company had begun to mask payment card PIN data and "some other portions of payment card transaction information" as well as check transaction information, the company said.
"We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided... we believe that we may never be able to identify much of the information believed stolen," TJX said.
The company has so far spent about £2.5m in connection with the breach, although it was hard to say what other costs may be incurred, the company warned. It cited several lawsuits that have been filed against it since the breach was announced. The company was sued recently by the Arkansas Carpenters Pension Fund, one of its shareholders, for its failure to divulge more details about the breach.