TJX data heist confirmed as largest ever

Retailer reveals that attacks resulted in loss of 45.7 million consumer records

TJX Companies confirmed in its latest filings with the Securities and Exchange Commission that the network intrusion carried out on its systems resulted in the loss of 45.7 million consumer records, making it the largest such breach on record.

According to TJX's annual report, filed with the SEC on March 28, the retail chain had some 45.6 million credit card and debit card records stolen from its payment processing and data storage systems over an 18 month period between 2005 and 2006. An additional 451,000 records regarding customer returns made during 2003 were also lifted from its systems, the Framingham, Mass.-based company said.

The largest single loss of consumer data reported previously had been CardSystems Solutions' exposure of just over 40 million records in 2005.

In the report, TJX specifically blames the incident on an unconfirmed number of external intruders who broke into its systems, therein refuting theories that the breach may have been the result of an inside operation.

Additionally, even after the exhaustive investigation that TJX has employed since first discovering the attack on Dec. 18, 2006 -- including the hiring of computer forensics specialists from IBM and General Dynamics -- the firm admits it may never know the full scope of the data loss.

"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said in its 10-K filing with the SEC. "We are continuing to try to identify information stolen in the computer intrusion through our investigation, but other than the information provided, we believe that we may never be able to identify much of the information believed stolen."

Based on its subsequent investigation, TJX reported that the data theft specifically affected systems at its Massachusetts headquarters that were used to store data related to payment card, check, and return transactions at its A.J Wright, HomeGoods, Marshalls, and T.J. Maxx stores in the U.S. and Puerto Rico, as well as its HomeSense and Winners chains in Canada, and T.K. Maxx stores in the U.K.

In addition to the Framingham attack, the company said its computer systems in Watford, U.K. that process payment card transactions at T.K. Maxx in the United Kingdom and Ireland had been attacked.

The report marks the first time TJX has confirmed the date when it first became aware of the attack, which it first reported publicly nearly one month later on Jan. 17. However, the company said it began working with IT security consultants and law enforcement officials within days of learning of the event.

According to the SEC report, the company's systems were first attacked by outsiders during July 2005, and then repeatedly targeted until Dec. 2006, when TJX officials said they first became aware of the breach.

Once investigators were called in at that time they determined the intruders were still present on the company's computing systems, and began monitoring the attack, which finally concluded in January 2007.

One of the incidents that may have led to the firm's discovery of the breach was reports sent to TJX in November 2006 by law enforcement officials in Florida who had uncovered a ring of thieves using credit card stolen from the retailer to carry out fraudulent transactions. Six people have been jailed in connection to those crimes, and another four people currently are wanted by the Florida Department of Law Enforcement.

The company offered a number of new details about the types of data that were stolen via the intrusions.

TJX claims that one of the problems it has encountered during its investigation is that the information that thieves were lifting from its payment processing systems was also being routinely deleted by the company as part of its storage security practices.

"We have been able to identify only some of the information that we believe was stolen; prior to discovery of the computer intrusion, we deleted in the ordinary course of business the contents of many files that we now believe were stolen," the company said.   "In addition, the technology used by the intruder has, to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006."

The firm reported that customer's credit and debit card personal identification numbers (PINs) were likely not compromised because that information was encrypted at the point-of-sale before being stored on the Framingham systems and was not retained in the Watford systems. Customers' names and addresses were not stored on the Framingham system in connection with payment card or check transactions, the firm said.

Debit card information used by customers in the Canada stores was also not compromised, according to the report.

The firm said it stopped the practice of storing so-called Track 2 data taken from the magnetic stripes on payment cards after Sept. 2003, and that it had implemented masking tools to obscure PIN information and other payment card and check information in early 2006.

In its 10-K filing, TJX reported it has already spent roughly $5 million on recovery efforts related to the attack and indicated it may continue to pay for the incident, in particular through lawsuits. On March 21, one of the company's shareholders, the Arkansas Carpenters Pension Fund, announced a suit against   TJX for failing to provide more details about the intrusion.

Copyright © 2007 IDG Communications, Inc.