TJX Data Breach Worse than Previously Believed

There's more bad news from Framingham, Mass.-based retailer TJX Companies Inc. regarding the massive data breach disclosed last month.

An ongoing investigation of the breach has shown that intruders gained access to TJX systems almost a full-year earlier than first thought -- and compromised more payment card data than previously believed, the company said in a statement issued Wednesday.

The investigation has also confirmed that card transaction data involving TJX-owned stores in the U.K and Ireland were also affected by the intrusion. Previously, the company had only said that it was "concerned" about this possibility.

TJX is the owner of stores such as TJ Maxx, Marshalls and Bob's Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico as well as potentially the U.K. and Ireland.

"We are dedicating substantial resources to investigating and evaluating the intrusion," TJX's new CEO Carol Meyrowitz said in the statement. IBM and General Dynamics Corp., the two companies hired by TJX to shore up security in the wake of the breach, have committed "over 50 experts" to handle the probe, she said.

TJX still hasn't disclosed the number of shoppers that may have been affected by the breach, though many analysts believe the number to be in the millions. When it first announced the breach, TJX said it believed the intrusion took place in May 2006 but wasn't discovered until December, seven months later.

The ongoing investigation found that intruders, in fact, gained access to the company's systems as far back as July 2005 and "on various subsequent dates in 2005." Similarly, payment card data involving transactions over an 18-month period between January 2003 and June 2004 has also been compromised -- as well as more drivers license information than previously thought, the company said. Until now, TJX was only able to confirm the compromise of data involving transactions in 2005 and for the period between May 2006 and Dec. 2006.

The fallout from the breach has been widespread, with banks and credit unions around the country as well as in Canada being forced to block and reissue thousands of cards. The New Hampshire Bankers Association has estimated that as many as 20 percent to 30 percent of people in New England may have been touched by the breach.

Subscribe to the Security Watch Newsletter

Comments