Payment card data for an unknown number of customers at UK discount clothes store TK Maxx has been stolen from the retailer’s computer systems in Watford, Hertfordshire.
The stolen UK information makes up some of the 45.6m payment card details stolen from parent company TJX in the world’s biggest ever data theft.
Papers filed by TJX to the US Securities and Exchange Commission have confirmed for the first time that computer systems in Watford that process payment card transactions at TK Maxx’s 210 stores in the UK and Ireland have been attacked.
In January, TJX announced that intruders had attacked its systems and stolen card data for an unknown number of customers. Shoppers in the US, Canada, Puerto Rico, the UK and Ireland could all be affected.
The company said the intrusion, believed to have taken place in May 2006, had not been discovered until December. In a February statement, it said the intrusion may in fact have taken place in July 2005.
The new disclosures reveal the company now believes information has been stolen from “from a portion of our computer systems in Watford” that process and stores information related to payment card transactions at TK Maxx stores in the United Kingdom.
At least two files of 100 stolen from the company’s US systems, based in Framingham, Massachusetts, in 2006 “were created by the intruder and moved from the Watford system to the Framingham system”.
The filed papers say: “We suspect that these files contained payment card transaction data, some or all of which could have been unencrypted and unmasked.”
Due to the technology used by the intruder, the company is “unable to determine the nature or extent of information included in these files”.
The attacker could also have stolen payment card data from the Watford system during the payment card issuer’s approval process, when information – including “track 2” data held on the card’s magnetic stripe, including dates of birth and individual driving licence or ID numbers - is transmitted without encryption.
The filed papers say PIN numbers, customer names and addresses were not stored on the Watford systems.
But the retailer is unable to confirm exactly what information the attackers took, because the it has deleted some of the files that are now believed to have been stolen, before the theft was discovered.
“In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” the filed papers say.
The retailer is still investigating, but the documents say: “We believe that we may never be able to identify much of the information believed stolen.”
The company does not know how far any of the Watford data was protected with encryption or other technologies. The papers filed with the regulators give some dates for the introduction of security measures on the US systems, but do not specify such dates for the UK data.
“With respect to the Watford system, masking and encryption practices were generally implemented at various points in time for various portions of the payment card data,” the papers say.
Read related article Retailer suffers world's biggest ever data breach