said in a filing with the Securities and Exchange Commission (SEC) this week that as many as 47.5 million customer records were stolen, making it the largest data breach of its kind.
The filing comes about two months after TJX released a report revealing evidence of intrusions of its customer database dating back to 2003.
TJX officials have
said they did not discover the computer intrusion until Dec. 2006. “We do not know who took this action and whether there
was one continuing intrusion or multiple, separate intrusions,” TJX said in its report.
transactions after Sept. 2, 2003, TJX said it masked portions of the data
on payment and check card transactions, replacing numbers with asterisks.
However, despite encryption and other security measures, TJX said technology
could have been used to get at the data. TJX said it has reason to believe
the intruder had access to the decryption tool for the encryption software
the company used.
The company also said it was continuing to investigate the security
breach with the help of outside computer security firms it hired back in
December. Law enforcement agencies were also notified including the U.S.
Secret Service, which, TJX said, is also investigating the matter. TJX said the
investigation will be costly.
The filing makes clear TJX has a long way to go before it will be able to
assess the extent of how much personal information was taken. In some cases
it may never know.
“The technology used by the Intruder has, to date, made
it impossible for us to determine the contents of most of the files we
believe were stolen in 2006,” TJX said in its filing. Other than certain specific areas it’s
identified, TJX said, “we believe that we may never be able to identify much
of the information believed stolen.”
In addition to any consumer lawsuits, the
company is having to deal with numerous legal entities looking into the
matter, including the U.S. Federal Trade Commission, the SEC, Royal Canadian
Mounted Police and the Canadian Federal Privacy Commissioner. Information
has also been given to the Massachusetts and other state Attorneys
General, California Office of Privacy Protection, various Canadian
Provincial Privacy Commissioners, the U.K. Information Commissioner, and the
Metropolitan Police in London, England.
TJX also said it is facing a number of legal claims from customers and
shareholders in the wake of the security breach. The company said it intends to
“defend such litigation and claims vigorously, although we cannot predict
“The perpetrators for [in the TJX case] are probably getting more attention than they
wanted,” Gartner analyst Avivah Litan told internetnews.com. She
speculated the perpetrators found their way in through a wireless network or
some other hole in TJX’s infrastructure.
Moreover, she said this could pave the way for other smaller attacks in
which hackers attack multiple retailers, but take fewer records to stay
under the radar. Fewer records could keep the hackers from getting extra
TJX Companies owns Marshall and TJ Maxx stores (among other smaller
retail outlets) throughout North America. T.J. Maxx is the largest off-price
retail chain in the United States, with 821 stores in 48 states.
is the second-largest off-price retailer in the United States, with 734
stores in 42 states and 14 stores in Puerto Rico.
Clint Boulton contributed to this report