By Pat Beall
Palm Beach Post Staff Writer
February 20, 2007
A posse of 30 attorneys general, including Florida's, is looking into
how hackers wormed their way into a customer database holding personal
information on customers of Marshalls, TJ Maxx and HomeGoods.
The thieves didn't just make off with credit card information of patrons
of the popular retailers, which are owned by a Massachusetts-based
public company. The illicit bounty included personal checks, debit cards
and possibly driver licenses.
That's just the kind of information used to steal someone's identity and
rack up debts on the unsuspecting victim's bank and credit card
accounts. Already, fraudulent purchases in Florida have been linked to
the hijacked data, according to the Massachusetts Bankers Association.
"We are looking into what has happened," confirmed Sandi Copes, press
secretary for Florida Attorney General Bill McCollum. McCollum sits on
the executive committee of the multistate probe, which is being led by
the attorney general for Massachusetts.
"Essentially at this stage we are fact-finding," said Emily LaGrassa,
communications director for Massachusetts Attorney General Martha
Coakley. "How did the breach occur? Were there measures that could have
been taken, or were there measures in place?"
At issue is personal information on shoppers stockpiled by The TJX Cos
Inc., the corporate parent to TJ Maxx, Marshalls and a handful of other
retail chains. Nineteen of its HomeGoods, TJ Maxx and Marshalls stores
are in Palm Beach County and along the Treasure Coast.
The $16 billion company (NYSE: TJX, $28.47) announced in January it had
unearthed evidence of hackers in December.
Although theft of personal information is not new, it rarely garners
such close attention by the attorneys general. According to a report in
The Wall Street Journal, the databases that were breached had 40 million
names. TJX has said the true numbers are much smaller but has not
disclosed how many customers were affected.
"That is one of the things we are looking at," said LaGrassa, the
spokeswoman for the Massachusetts attorney general.
TJX is a global retailer with operations in Britain, Canada, Puerto Rico
and Ireland. Data in those countries also was compromised, according to
Then there's "the sheer volume of information retained," said Paul
Stephens, a policy analyst with the California-based Privacy Rights
Clearinghouse, a nonprofit advocacy group. "That is one of the important
For instance, the Massachusetts Bankers Association has pointedly asked
why the retailer was warehousing so much personal data on its customers.
"It appears that they may have been capturing data that is unnecessary,"
said Daniel Forte, president of the group.
Copes, at McCollum's office, said the company is cooperating.
Even so, questions are popping up about why the company waited a month
before alerting customers.
When bandits lifted information on 19,000 AT&T Inc. customers last
summer, company notifications went out within 48 hours. The TJX
discovery came at the height of the holiday retail buying season, yet
its announcement wasn't made for several weeks.
The company says it was bowing to the wishes of law enforcement
authorities who wanted to keep hackers in the dark. Critics have asked
whether the company was trying to protect seasonal sales.
The largest confirmed wholesale data theft involved 163,000 customers.
That was the result of a breach of date compiled by ChoicePoint Inc.
Fallout from that case was a public relations catastrophe for the
company, which also saw its stock price dip.
ChoicePoint (NYSE: CPS, $39.04) did what it could to stem criticism. For
example, it offered to pay for one full year of credit monitoring for
all 163,000 consumers whose personal information was sold.
TJX has not offered to track customers' credit reports.
Stephens said the incident raises a more fundamental question: "Why did
they need to retain that sort of information and then leave it in a
place that was networked and could be accessed?"
Subscribe to the InfoSec News RSS Feed