January 18, 2007 4:32 AM PST

T.J. Maxx hack exposes consumer data

TJX, operator of discount chains including T.J. Maxx and Marshalls, on Wednesday said its computers were hacked, putting shoppers at risk of identity fraud.

Intruders accessed systems used to process and store customer transaction data, Framingham, Mass.-based TJX said in a statement. The retailer has identified some customer information that was taken, but the full extent of the data theft and number of affected customers is yet unknown, it said.

"TJX is conducting a full investigation of the intrusion," it said in the statement. "The company is committed to providing its customers with more information when it becomes available."

The intrusion involves systems that handle credit card, debit card, check and return transactions for T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and the Winners and HomeSense stores in Canada, TJX said. The exposed data covers 2003 and the period from mid-May through December 2006, it said.

It is also possible that transaction data for T.K. Maxx stores in the U.K. and Ireland and Bob?s Stores in the U.S. was exposed in the breach, TJX said.

"It is pretty obvious that it was a very well orchestrated, targeted attack," said Avivah Litan, an analyst with Gartner. Litan suspects the perpetrators are the same people who have broken into systems at other retailers. "These people are piecing together information on millions of Americans. It is quite scary."

TJX discovered the intrusion in December and reported it to authorities in the U.S. and Canada as well as the major credit card companies and its payment processors. At the request of law enforcement, the breach was kept quiet until Wednesday, TJX said.

The breach appears broad. In Massachusetts, 28 banks have been contacted by credit card companies indicating that some of their customers have had personal information that may have been exposed, the Massachusetts Bankers Association said in a statement Thursday. That number is likely to grow as more banks report into the association, it said.

The TJX breach is the latest in a string of incidents that have exposed sensitive consumer information. Retailers are often affected; two years ago, transaction data was stolen from 108 DSW shoe stores. In another incident, a problem with point-of-sale software at Polo Ralph Lauren compromised the credit card data of as many as 180,000 people.

Major credit card companies have launched security initiatives focused on retailers. Store owners should not store card information, but Visa and MasterCard have found that many point-of-sale terminals and other transaction software store all the data anyway, sometimes unbeknownst to the retailer.

In December, Visa announced it would offer $20 million in incentives for merchants and transaction service providers to comply with credit card industry security rules, called the Payment Card Industry Data Security Standard. As part of those rules, merchants have to limit data storage and use encryption.

"We think it's a little odd that they would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary," said Daniel Forte, chief executive of the Massachusetts Bankers Association.

Though credit card companies instituted common security rules for card-accepting businesses two years ago, only about one-third of the biggest merchants are compliant, Visa said in December. Smaller businesses are even farther behind, the company added.

Critics argue that credit card companies are taking the wrong approach.

"It is time that the banks own up to this problem and stop shifting the responsibility to the retailers. It is impractical to expect 5 million retailers to become security experts. It is much more practical to update the payment systems," Gartner's Litan said.

TJX has hired General Dynamics and IBM to assess the intrusion, identify compromised data and secure its systems, it said.

"We have been working diligently to further protect our customers and strengthen the security of our computer systems, and we believe customers should feel safe shopping in our stores," Ben Cammarata, TJX's acting chief executive officer, said in the statement.

TJX operates 826 T.J. Maxx, 751 Marshalls, 271 HomeGoods, and 162 A.J. Wright stores, as well as 36 Bob's Stores, in the United States. In Canada, the company runs 184 Winners and 68 HomeSense stores, and in Europe, 212 T.K. Maxx stores.

Concerned TJX customers can call a helpline at 866-484-6978 in the United States, 866-903-1408 in Canada and 0800-77-90-15 in the U.K. and Ireland. TJX also provides tips for customers to prevent identity fraud on its Web site.

See more CNET content tagged:
credit card company, breach, Visa International, identity fraud, merchant

15 comments

Join the conversation!
Add your comment
Why am I not surprised.
I live in an apartment formally occupied by a T.J. Maxx employee. Every two weeks we receive in the mail a paystub from T.J. Maxx for the former occupant containing that person's name, social security number, bank name, and bank account number. Every two weeks we return it in the mail with a "not at this address sticker". I have even called their corporate headquarter's legal department to inform them of the problem but the pay stubs keep coming. Conclusion, there was a security breach because the company does not really care about security of information.
Posted by cnetmarc (3 comments )
Reply Link Flag
They don't care!!!!
I can say from a former employee stand point that TJX only cares about the bottom line. There computer equipment was often bought second hand and they only trained people on a need to know basis. and even then we had computer students who could do more on the registers and computer than the store managers knew about.Next time you go in check out the registers every thing is dirty and broken.The pay the lowest wages they can get away with and promote employees getting government benefits like food stamps, help with winter utilitiy bills, and the advanced earned income.
There excuse for every issue that micht involve money is "We are a public Company and must answer to the stockholders"
But check out the pay and perks of acting CEO Ben Cammerata? I know before he stepped down he was one of the highest paid people in retail.
Also instead of investing in the company infursturcture and employees they have had the stock holders approve several stock buy back initiatives so they can use these as perks for executives.
Posted by superfecta (2 comments )
Link Flag
They don't care!!!!
I can say from a former employee stand point that TJX only cares about the bottom line. Their computer equipment was often bought second hand and they only trained people on a need to know basis. and even then we had computer students who could do more on the registers and computer than the store managers knew about. Next time you go in check out the registers every thing is dirty and broken. The pay the lowest wages they can get away with and promote employees getting government benefits like food stamps, help with winter utility bills, and the advanced earned income.
There excuse for every issue that might involve money is "We are a public Company and must answer to the stockholders"
But check out the pay and perks of acting CEO Ben Cammarata? I know before he stepped down he was one of the highest paid people in retail.
Also instead of investing in the company infrastructure and employees they have had the stock holders approve several stock buy back initiatives so they can use these as perks for executives.
Posted by superfecta (2 comments )
Link Flag
Stolen Data Should Be Prevented
It's important for retailers to think about better security of their customer data.
Posted by chrisx1 (201 comments )
Reply Link Flag
Naive and Arrogant
You should've seen the front page of my local paper. They had a pic of a woman who shops at a local TJ MAXX and interviewed her reaction to the incident. "...I'm not worried. I'll still use my credit cards there. This won't ever happen to me". How naive and arrogant can people be. You have no control over someone getting a hold of your credit card info if you shop at a store that gets breached. It CAN happen to anyone. No matter what precautions YOU take. There're two sides to the coin. YOU and the RETAILERS.
Posted by CyberJedi25 (2 comments )
Reply Link Flag
I was one of them
I am a big fan of Marshalls stores and last december I found in my statement an unauthorized purshase of nearly 500 dollars. Later some others from different shops. Whithout still knowing this information I had this feeling that my credit card information was stolen from Marshalls.
Posted by rosebuds007 (1 comment )
Reply Link Flag
Oddly a victim
The last couple of days, my mom started receiving packages in the mail. The first package was some computer software. We didn't think anything of it. We thought maybe it was just something we had signed up for online. The next day we received another package of books. That's when we knew something was up.

We called the shipper of the books, and sure enough someone had order a book club membership in my mom's name with my mom's credit card, and shipped it to our house. Then we contacted the shipper of the software, and this too was purchased with my mom's credit card shipped to her home.

It's weird, because you would think a scammer would have shipped things to their own house, but they made no person purchases, jut these two items.
Posted by soappy (1 comment )
Reply Link Flag
T.J. MAX CREDIT CARD ID THEFT
TWO WEEKS AGO I APPLIED FOR A TJ MAX CREDIT CARD THRU CHASE, THE STORE USED A VERY OLD APPLICATION TYPE, HAVE ME FILL OUT A PAPER APPLICATION AND THE CLERK AT THE STORE TYPE THE INFORMATION INTO THEIR COMPUTER.
ONE WEEK LATER I FOUND FRAUDULENT CHARGES ON MY VISA CREDIT CARD, THE APPLICATION AT TJ MAXX IS THE ONLY TIME I GAVE OUT CONFIDENTIAL INFORMATION FOR A CREDIT APPLICATION.
Posted by lady420 (3 comments )
Reply Link Flag
T.J. MAX CREDIT CARD ID THEFT
TWO WEEKS AGO I APPLIED FOR A TJ MAX CREDIT CARD THRU CHASE, THE STORE USED A VERY OLD APPLICATION TYPE, HAVE ME FILL OUT A PAPER APPLICATION AND THE CLERK AT THE STORE TYPE THE INFORMATION INTO THEIR COMPUTER.
ONE WEEK LATER I FOUND FRAUDULENT CHARGES ON MY VISA CREDIT CARD, THE APPLICATION AT TJ MAXX IS THE ONLY TIME I GAVE OUT CONFIDENTIAL INFORMATION FOR A CREDIT CARD. TO PREVENT FURTHER THEFT I HAD TO CANCEL ALL CREDIT CARDS AND DISPUTE THE FRAUDULENT CHARGES, SINCE ALL MY CONFIDENTIAL INFORMATION WAS MADE PUBLIC.
Posted by lady420 (3 comments )
Reply Link Flag
I'm an employee at TJ Maxx and process credit applications frequently. First of all, we return any personal information to the customer and/or have it destroyed. All information typed into the computer is sent directly to the bank our cards come from, and is not stored on our computers. I can't see how the TJX company could be held accountable for your losses, seeing as how the company doesn't store that information.
Posted by bcampbell694 (1 comment )
Link Flag
T.J. MAX/CHASE STEALS YOUR CREDIT INFORMATION
TWO WEEKS AGO I APPLIED FOR A T.J.MAX CREDIT CARD SPONSERED BY CHASE BANK, ONE WEEK LATER AFTER THE SUPPLYING T.J.MAX AND CHASE WITH MY CONFIDENTIAL INFORMATION, I FOUND FRAUDULENT CHARGES ON MY CURRENT VISA, T.J.MAX IS THE ONLY PLACE I GAVE OUT THIS INFORMATION.
I HAD TO CANCEL ALL MY FORMS OF CREDIT AND DISPUTE THE FRAUDULENT CHARGES.
Posted by lady420 (3 comments )
Reply Link Flag
I am really worried. My husband probably would have ignored purchases thinking that I made them. I bought him tons of Christmas gifts in their stores. I had a Marshall's employee steal a shirt out of my cart. I wrote a letter to the manager, and didn't even get a response.I wrote the corporates. They told me that they informed the management, and assured me it would be taken care of. I didn't get any response at all. Apparently they don't care much about their customers being ripped off.
Posted by sax21 (2 comments )
Reply Link Flag
that's crazy
Posted by sax21 (2 comments )
Reply Link Flag
First of all, it was made by no HACKER.... hackers doesn't do stuff like that, I can assure you that it was made by a no knowledge kid. If was made by a hacker you would have to call us to find it out for you, hackers leave no traces, you would never find out that the store was invaded.
I work with computer security, we are the the biggest in the state. who ever like to have a nice and secure network please get in contact with us by send us an e-mail to support@inforeason.com we are also network detectives... (we do not have a website in English yet, but we are working on it , we are a Brasillian company soon we will be in US, you can look up our website in Portuguese www.inforeason.com.br )
Posted by inforeason (2 comments )
Reply Link Flag
First of all, it was made by no HACKER.... hackers doesn't do stuff like that, I can assure you that it was made by a no knowledge kid. If was made by a hacker you would have to call us to find it out for you, hackers leave no traces, you would never find out that the store was invaded.
I work with computer security, we are the the biggest in the state. who ever like to have a nice and secure network please get in contact with us by send us an e-mail to support@inforeason.com we are also network detectives... (we do not have a website in English yet, but we are working on it , we are a Brasillian company soon we will be in US, you can look up our website in Portuguese www.inforeason.com.br )
Posted by inforeason (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.