February 21, 2007 9:40 AM PST

T.J. Maxx probe finds broader hacking

The TJX Companies, the discount retailer best known for its T.J. Maxx and Marshalls clothing stores, said Wednesday that its hacking investigation has uncovered more extensive exposure of credit and debit card data than it previously believed.

Information on millions of TJX customers may have been exposed in the long-running attack, which was made public last month. It affects customers of any of TJX store in the U.S., Canada or Puerto Rico, with the exception of its Bob's Stores chain.

The breach of credit and debit card data was initially thought to have lasted from May 2006 to January. However, TJX said Wednesday that it now believes those computer systems were first compromised in July 2005.

TJX said credit and debit card data from January 2003 through June 2004 was compromised. The company previously said that only 2003 data may have been accessed. According to TJX, however, some of the card information from September 2003 through June 2004 was masked at the time of the transactions.

The company added that names and addresses apparently were not included with the card information, that debit card PIN numbers are not believed to have been vulnerable, and that data from transactions made with debit cards issued by Canadian banks likely were not vulnerable.

TJX also found that there was evidence of intrusion into the system that handles customer transactions for its T.K. Maxx stores in the United Kingdom and Ireland, but that there has been no confirmation that anyone actually accessed that data.

In addition to these exposures, TJX said there were more breaches of driver's license information than it previously thought. These included the license numbers, names and addresses of customers making merchandise returns in the U.S. and Puerto Rico locations of T.J. Maxx, Marshalls and HomeGoods stores. That compromised data, according to TJX, is restricted to returns without receipts that took place in the last four months of 2003, as well as in May 2004 and June 2004.

TJX plans to notify customers whose driver's license data may have been accessed.

The company, which is continuing its investigation, encourages customers to check their credit-card and bank-account records and look for further updates on its Web site.

See more CNET content tagged:
debit card, driver's license, hacking, Puerto Rico, exposure


Join the conversation!
Add your comment
Why ?
I do on line business for our company. After we get paid, there is no need to keep All that credit info for that length of time. Why are they keeping all that unsecured data ?
Posted by pgp_protector (122 comments )
Reply Link Flag
pgp_protector pondered this question:

"Why are they keeping all that unsecured data ?"

Simple, to keep track of marketing trends. It's far more
important for a company to know how to thrust advertisements
in your face 24/7 than it is to worry about the dangers their
customers are in because of their actions. Remember, you're a
number to them; a pile of marketing statistics. If you wanted
your "private data" protected, you wouldn't have given it to them
in the first place.

It's all part of the "I'm not responsible, it's someone elses fault"
mentality we have developed over the years. I find it disgusting
that a company like this can put the onus back onto the
customer to watch their credit for breaches caused by the
companies lack of caring. If they really cared about their
customers, they would offer lifetime credit watching services for
those they have raped for a few pennies of profit. (The same
goes for our govenment, especially regarding all those veterans
who have been publicly raped by the governments carelessness.
A year of credit checks, what a crock! The veterans data won't
disappear or become void in that time, why should the
government's responsibility?)
Posted by Dalkorian (3000 comments )
Link Flag
We need one TJ Maxx here in Puerto Rico i like TJ maxx
Posted by william189 (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.