By ERIC DASH
January 19, 2007
Tens of millions of credit and debit cards might have been compromised
by a computer security breach at the retailer that operates T. J. Maxx
and Marshalls in what could emerge as the countrys biggest case of
stolen consumer data.
While the investigation is in its early stages, the number of accounts
potentially exposed at the TJX Companies could exceed the 40 million
involved in a data breach at the payment processor CardSystems Solutions
in 2005, people briefed on the findings said yesterday.
Still, these people cautioned, the total number of accounts at risk
might be far less if thieves only looked at but did not download the
TJXs vice president for investor and public relations, Sherry Lang, said
yesterday that the amount of information removed was substantially less
than millions, but conceded that many more could have been potentially
She provided few details of the investigations.
The millions of card accounts compromised, belonging to all the major
credit card companies, were among a trove of sensitive customer
information potentially exposed. On Wednesday, TJX revealed that an
intruder had gained access to a computer system that contained other
customer information, including drivers license numbers and checking
accounts linked to transactions for returned merchandise.
Over the last two days, the nations banks and card brands including
Visa, MasterCard Worldwide and American Express said they were
monitoring their customer accounts for potential fraud. TJX, which has
about 2,300 stores in the United States and Canada, suggested that
customers review their accounts, and it set up a tip sheet on its
Internet site and a toll-free number 866-484-6978 to handle questions.
Both of TJXs flagship stores were affected, as well as its HomeGoods and
A. J. Wright stores in the United States, and its Winners and HomeSense
chains in Canada. The company is still trying to assess whether customer
data from its 36 Bobs Stores had been affected.
Yesterday, Fifth Third Bank of Cincinnati was identified as the
sponsoring bank that handles TJXs accounts, which makes it responsible
for ensuring that the retailer met the industrys data security
We are not in a position to confirm or deny if we do have a relationship
with T. J. Maxx, a spokeswoman for Fifth Third, Stephanie L. Honan,
said. Asked about whether all of its merchants were compliant with the
rules, she declined further comment.
Fifth Third may be required to cover some of the card issuers losses.
TJX could also faces hundreds of thousands of dollars in fines from
government regulators, Fifth Third and the payment associations like
Visa and MasterCard.
Meanwhile, federal and company investigators tried to untangle what TJX
called an unauthorized intrusion into its computer system going back at
least four years. One likely entry point may have been through checkout
terminals, which are typically connected to the Internet. That could
enable thieves to obtain sensitive data like that on the magnetic strips
of credit cards, which security experts advise companies not to keep.
While there was only a single compromise, TJXs statement suggested it
may have occurred in two waves. During portions of 2003, the company
suggested, the intruder gained access to credit and debit card
information that was stored, possibly unencrypted, on its computers.
>From May to December last year, the disclosure suggests, live data on
the network may have been accessed in an intrusion using hacker tools.
Hard Drive Lost at Bank
OTTAWA, Jan. 18 The Canadian Imperial Bank of Commerce said Thursday
that it had lost a computer hard drive containing personal financial
information for about 470,000 mutual fund customers.
Rob McLeod, a spokesman for the bank, said the drive, a backup for its
Talvest mutual fund, disappeared while being moved from Montreal to
Toronto just prior to Christmas holidays.
While the bank immediately notified Canadas privacy commissioner as well
as its bank regulator, Mr. McLeod said the public announcement was
delayed by the need to identify the affected customers and to establish
a call center to handle their inquiries.
The lost records cover current and former Talvest customers and includes
their names, addresses, signatures, dates of birth, account numbers,
beneficiary information and social insurance numbers. The bank said it
has offered to cover any losses related to the missing drive.
Copyright 2007 The New York Times Company
Subscribe to InfoSec News