Security Woes Snowball For TJ Maxx

TJ Maxx’s  January report of a database breach exposing customers’ financial information was bad enough.

It seems the damage, which led some customers to cancel or change their credit and debit card numbers, was worse than originally reported.

TJ Maxx said in January that it believed the intrusion only took place from May 2006 to January 2007, but the company said today in a statement its computer system was compromised in July 2005 and other dates in that year.

In another new development, the company now believes that information regarding portions of the credit and debit card transactions at its U.S., Puerto Rican and Canadian stores (excluding debit card transactions with cards issued by Canadian banks) from January 2003 through June 2004 was compromised.

The company had previously reported that the 2003 transaction data had “potentially” been accessed.

Also, for most of the transactions from September 2003 through June 2004, some of the card information was masked at the time of the transaction, making that portion unavailable to the intruder.

TJ Maxx also said that customer names and addresses were not included with the credit and debit card data believed to have been compromised.

“We are working with leading computer security firms to investigate the problem and enhance our computer security in order to protect our customers’ data,” TJX Companies President and CEO Carol Meyrowitz said in a letter on the company’s Web site today.

“We are dedicating significant resources to evaluate the issue. Given the nature of the breach, the size and international scope of our operations and the complexity of the way credit card transactions are processed, the evaluation is, by necessity, taking time.”

Andrew Jaquith, a security analyst with the Yankee Group, told the only good news for TJ Maxx is that “it will be someone else next month.”

Jaquith, who credited TJ Maxx for reporting the new findings right away, said a lot of companies are struggling with these kind of security issues.

“Personally identifiable or non-public information is the asbestos of 2006 and 2007,” said Jaquith. “A lot of places we like to frequent have it and all of a sudden we find it’s toxic.”

And just like asbestos, he said the process of cleaning up and securing confidential data online is going to be a long, expensive process.

“There is no silver bullet, but one of the key points I make to companies is to ask what information they are keeping about their customers. If they don’t know, that’s a problem right there,” said Jaquith.

He added that in a lot of instances, companies are collecting customer data they don’t need, like Social Security and license numbers.

He suggested that if such background info is necessary from a security point of view at time of purchase, companies still make the mistake of hanging onto the data for too long.

“It’s hard to have a data disclosure problem over data you’re not storing,” said Jaquith.

TJX, which operates more than 2,500 clothing stores in the U.S., Canada and the U.K., said customers with questions about the breach can call a toll-free help line TJX has established at 866-484-6978.

Updated information will also be available at its Web site including tips on preventing credit and debit card fraud and other steps to protect personal information.

News Around the Web