By Caroline McCarthy
February 21, 2007
The TJX Companies, the discount retailer best known for its T.J. Maxx
and Marshalls clothing stores, said Wednesday that its hacking
investigation has uncovered more extensive exposure of credit and debit
card data than it previously believed.
Information on millions of TJX customers may have been exposed in the
long-running attack, which was made public last month. It affects
customers of any of TJX store in the U.S., Canada or Puerto Rico, with
the exception of its Bob's Stores chain.
The breach of credit and debit card data was initially thought to have
lasted from May 2006 to January. However, TJX said Wednesday that it now
believes those computer systems were first compromised in July 2005.
TJX said credit and debit card data from January 2003 through June 2004
was compromised. The company previously said that only 2003 data may
have been accessed. According to TJX, however, some of the card
information from September 2003 through June 2004 was masked at the time
of the transactions.
The company added that names and addresses apparently were not included
with the card information, that debit card PIN numbers are not believed
to have been vulnerable, and that data from transactions made with debit
cards issued by Canadian banks likely were not vulnerable.
TJX also found that there was evidence of intrusion into the system that
handles customer transactions for its T.K. Maxx stores in the United
Kingdom and Ireland, but that there has been no confirmation that anyone
actually accessed that data.
In addition to these exposures, TJX said there were more breaches of
driver's license information than it previously thought. These included
the license numbers, names and addresses of customers making merchandise
returns in the U.S. and Puerto Rico locations of T.J. Maxx, Marshalls
and HomeGoods stores. That compromised data, according to TJX, is
restricted to returns without receipts that took place in the last four
months of 2003, as well as in May 2004 and June 2004.
TJX plans to notify customers whose driver's license data may have been
The company, which is continuing its investigation, encourages customers
to check their credit-card and bank-account records and look for further
updates on its Web site.
Subscribe to the InfoSec News RSS Feed