$this->articleCE->primaryUrlById(3668771) = /bus-news/article.php/3668771/Numbers+Are+Out+on+TJX+Breach.htm
Numbers Are Out on TJX Breach - InternetNews.
RealTime IT News

Numbers Are Out on TJX Breach

TJX Companies said in a filing with the Securities and Exchange Commission (SEC) this week that as many as 47.5 million customer records were stolen, making it the largest data breach of its kind.

The filing comes about two months after TJX released a report revealing evidence of intrusions of its customer database dating back to 2003.

The previous record for the largest data breach to date was believed to be at CardSystems, which in 2005 reported that hackers had gained access to some 40 million customer records.

TJX officials have said they did not discover the computer intrusion until Dec. 2006. "We do not know who took this action and whether there was one continuing intrusion or multiple, separate intrusions," TJX said in its report.

For transactions after Sept. 2, 2003, TJX said it masked portions of the data on payment and check card transactions, replacing numbers with asterisks. However, despite encryption and other security measures, TJX said technology could have been used to get at the data. TJX said it has reason to believe the intruder had access to the decryption tool for the encryption software the company used.

The company also said it was continuing to investigate the security breach with the help of outside computer security firms it hired back in December. Law enforcement agencies were also notified including the U.S. Secret Service, which, TJX said, is also investigating the matter. TJX said the investigation will be costly.

The filing makes clear TJX has a long way to go before it will be able to assess the extent of how much personal information was taken. In some cases it may never know.

"The technology used by the Intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006," TJX said in its filing. Other than certain specific areas it's identified, TJX said, "we believe that we may never be able to identify much of the information believed stolen."

In addition to any consumer lawsuits, the company is having to deal with numerous legal entities looking into the matter, including the U.S. Federal Trade Commission, the SEC, Royal Canadian Mounted Police and the Canadian Federal Privacy Commissioner. Information has also been given to the Massachusetts and other state Attorneys General, California Office of Privacy Protection, various Canadian Provincial Privacy Commissioners, the U.K. Information Commissioner, and the Metropolitan Police in London, England.

TJX also said it is facing a number of legal claims from customers and shareholders in the wake of the security breach. The company said it intends to "defend such litigation and claims vigorously, although we cannot predict the outcome."

"The perpetrators for [in the TJX case] are probably getting more attention than they wanted," Gartner analyst Avivah Litan told internetnews.com. She speculated the perpetrators found their way in through a wireless network or some other hole in TJX's infrastructure.

Moreover, she said this could pave the way for other smaller attacks in which hackers attack multiple retailers, but take fewer records to stay under the radar. Fewer records could keep the hackers from getting extra media attention.

TJX Companies owns Marshall and TJ Maxx stores (among other smaller retail outlets) throughout North America. T.J. Maxx is the largest off-price retail chain in the United States, with 821 stores in 48 states.

Marshalls is the second-largest off-price retailer in the United States, with 734 stores in 42 states and 14 stores in Puerto Rico.

Clint Boulton contributed to this report