TJX Companies confirmed in its latest filings with the Securities and Exchange Commission that the network intrusion carried out on its systems resulted in the loss of 45.7 million consumer records, making it the largest such breach on record.
According to TJX's annual report, filed with the SEC on March 28, the retail chain had some 45.6 million credit card and debit card records stolen from its payment processing and data storage systems over an 18 month period between 2005 and 2006. An additional 451,000 records regarding customer returns made during 2003 were also lifted from its systems, the Framingham, Mass.-based company said.
The largest single loss of consumer data reported previously had been CardSystems Solutions' exposure of just over 40 million records in 2005.
In the report, TJX specifically blames the incident on an unconfirmed number of external intruders who broke into its systems, therein refuting theories that the breach may have been the result of an inside operation.
Additionally, even after the exhaustive investigation that TJX has employed since first discovering the attack on Dec. 18, 2006 -- including the hiring of computer forensics specialists from IBM and General Dynamics -- the firm admits it may never know the full scope of the data loss.
"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said in its 10-K filing with the SEC. "We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided, we believe that we may never be able to identify much of the information believed stolen."
Based on its subsequent investigation, TJX reported that the data theft specifically affected systems at its Massachusetts headquarters that were used to store data related to payment card, check, and return transactions at its A.J Wright, HomeGoods, Marshalls, and T.J. Maxx stores in the U.S. and Puerto Rico, as well as its HomeSense and Winners chains in Canada, and T.K. Maxx stores in the U.K.
In addition to the Framingham attack, the company said its computer systems in Watford, U.K. that process payment card transactions at T.K. Maxx in the United Kingdom and Ireland had been attacked.
The report marks the first time TJX has confirmed the date when it first became aware of the attack, which it first reported publicly nearly one month later on Jan. 17. However, the company said it began working with IT security consultants and law enforcement officials within days of learning of the event.
According to the SEC report, the company's systems were first attacked by outsiders during July 2005, and then repeatedly targeted until Dec. 2006, when TJX officials said they first became aware of the breach.
Once investigators were called in at that time they determined the intruders were still present on the company's computing systems, and began monitoring the attack, which finally concluded in January 2007.