[ISN] T.J. Maxx probe finds broader hacking

From: InfoSec News (alerts@private)
Date: Wed Feb 21 2007 - 23:07:24 PST


By Caroline McCarthy
February 21, 2007

The TJX Companies, the discount retailer best known for its T.J. Maxx 
and Marshalls clothing stores, said Wednesday that its hacking 
investigation has uncovered more extensive exposure of credit and debit 
card data than it previously believed.

Information on millions of TJX customers may have been exposed in the 
long-running attack, which was made public last month. It affects 
customers of any of TJX store in the U.S., Canada or Puerto Rico, with 
the exception of its Bob's Stores chain.

The breach of credit and debit card data was initially thought to have 
lasted from May 2006 to January. However, TJX said Wednesday that it now 
believes those computer systems were first compromised in July 2005.

TJX said credit and debit card data from January 2003 through June 2004 
was compromised. The company previously said that only 2003 data may 
have been accessed. According to TJX, however, some of the card 
information from September 2003 through June 2004 was masked at the time 
of the transactions.

The company added that names and addresses apparently were not included 
with the card information, that debit card PIN numbers are not believed 
to have been vulnerable, and that data from transactions made with debit 
cards issued by Canadian banks likely were not vulnerable.

TJX also found that there was evidence of intrusion into the system that 
handles customer transactions for its T.K. Maxx stores in the United 
Kingdom and Ireland, but that there has been no confirmation that anyone 
actually accessed that data.

In addition to these exposures, TJX said there were more breaches of 
driver's license information than it previously thought. These included 
the license numbers, names and addresses of customers making merchandise 
returns in the U.S. and Puerto Rico locations of T.J. Maxx, Marshalls 
and HomeGoods stores. That compromised data, according to TJX, is 
restricted to returns without receipts that took place in the last four 
months of 2003, as well as in May 2004 and June 2004.

TJX plans to notify customers whose driver's license data may have been 

The company, which is continuing its investigation, encourages customers 
to check their credit-card and bank-account records and look for further 
updates on its Web site.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Wed Feb 21 2007 - 23:19:01 PST