, SecurityFocus 2007-03-30
More than three months after detecting a breach of its systems, retail giant TJX Companies released this week its best guess at the number of customers whose credit-card information and other data were stolen by online thieves.
Information from at least 45.6 million credit cards had been stolen by unknown attackers who had breached the company's computer transaction processing systems between July 2005 and mid-January 2007, TJX stated in its annual report filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday. It's a number that will only likely grow larger: The tally of 45.6 million credit-card accounts was calculated from data records for transactions processed between December 31, 2002 and November 23, 2003. Data files after November 2003 were deleted in the "ordinary course of business" but not before the records were likely stolen, TJX stated in its annual report.
"To date, we have been able to identify only some of the information that we believe was stolen," the company stated in the report. "Deletions in the ordinary course of business prior to discovery of the Computer Intrusion and the technology used by the Intruder have, to date, made it impossible for us to determine much of the information we believe was stolen, and we believe that we may never be able to identify much of that information."
The breach is the largest known data theft to date, topping the 40 million credit-card numbers put at risk by a breach of CardSystems Solutions' processing systems in 2005 and leaving in the dust the 26.5 million personnel files stored on a laptop and external hard drive which were stolen from the home of an employee of the U.S. Department of Veterans Affairs. The laptop was later recovered.
The TJX breach became public in January when the company announced it had discovered that online attackers had compromised its network. Originally the company thought the first attack had occurred no earlier than May 2006, but in late February, announced that evidence pointed to intrusions as far back as July 2005. Banks have reissued a large number of credit-card accounts put at risk by the breach, and Florida law enforcement has stated that a ring of gift-card fraudsters had used the stolen numbers to buy more than $8 million in merchandise.
The company minimized such reports in its financial statement.
"While we have been advised by law enforcement authorities that they are investigating fraudulent use of payment card information believed stolen from TJX, we do not know the extent of any fraudulent use of such information," the company said in its annual report. "Some banks and payment card companies have advised us that they have found what they consider to be preliminary evidence of possible fraudulent use of credit payment card information that may have been stolen from us, but they have not shared with us the details of their preliminary findings."
The Framingham, Mass., company found that two of its computer networks had been breached. The online attackers compromised the company's systems in Framingham that process and archive transactions and returns from its T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the U.S. and Puerto Rico as well as its Winners and HomeSense stores in Canda, the firm stated in its annual report. Attackers also breached "a portion of our computer systems" in Watford, U.K., that process and archive transactions from the company's T.K. Maxx stores in the United Kingdom and Ireland, TJX stated.
Only about a third of the credit-card accounts, about 15 million, are likely at risk because of the attacks, because the other two thirds of the credit-card numbers had expiration dates that had passed at the time the accounts were stolen, according to TJX's report. However, the company did not have information on the number of credit-card issuers that used the same numbers when extending the expiration date.
In addition, more than 450,000 names, addresses and personal ID numbers (in most cases, the person's Social Security number) were also taken from the servers, the company stated.