45 Million Credit Cards Hit By Hackers
Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX's customer information in a security breach that the discount retailer disclosed more than two months ago.
TJX Cos., the owner of about 2,500 retail stores, including T.J. Maxx, Mashalls and HomeSense, said in a regulatory filing late Wednesday that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been masked — stored as asterisks rather than numbers.
But TJX acknowledged it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX's encryption software and could have known how to unscramble the information.
TJX Companies Inc stated on its Web site early in 2007 that they discovered the "unauthorized intrusion in mid-December 2006" and the company believes it began in May 2006 with customer data compromised from then until December 2006, CBS News financial adviser Ray Martin reported.
In addition, TJX deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected.
On The Early Show Friday, financial author and radio host Dave Ramsey offered advice to help you avoid becoming a victim of identity theft. To watch, .
"There is a lot of information we don't know, and may never be able to know, which is why this investigation has been so laborious," TJX spokeswoman Sherry Lang said on Thursday.
The company provided an update of its investigation in a regulatory filing made after business hours Wednesday.
TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003. TJX says it didn't find out about the breach until about three months ago.
Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the Securities and Exchange Commission. TJX did not give estimates of the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003 to June 28, 2004.
TJX said in the filing that "substantially all stolen data" from the latter period "were deleted in the ordinary course of business subsequent to the believed theft but prior to discovery of computer intrusion."
Lang said TJX was investigating why information stolen during the initial nine-month period in 2003 wasn't been routinely deleted.
The filing also says, "We believe that the intruder had access to the decryption tool for the encryption software utilized by TJX."
The filing also said another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.
The filing gives the first detailed account of the breach initially disclosed in January by Framingham-based TJX, the owner of T.J. Maxx, Marshall's and other stores in North America and the United Kingdom.
The filing says the company "does not know who took this action, and whether there were one or more intruders involved." Also unknown is whether there was a single continuing breach, or multiple, separate intrusions.
Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards. The gift cards had been purchased from Wal-Mart stores, and were used to acquire electronics and jewelry at Wal-Mart's Sam's Club warehouse stores.
TJX's Lang said Thursday that the company could not yet confirm whether the data used in those thefts originated at TJX.
Gainesville, Fla. police have said they believe the Florida suspects bought the card numbers from someone else, and weren't the TJX hackers.
In Wednesday's filing, TJX said for the first time that Dec. 18, 2006, was the date it first learned that there was suspicious software on its computer system.
TJX said it believes hackers invaded its systems in July 2005, on later dates in 2005 and also from mid-May 2006 to mid-January 2007. The company said no customer information was stolen after Dec. 18, one day before it hired General Dynamics Corp. and IBM Corp. to investigate. By Dec. 21, those investigators determined that the computer systems had been breached and that an intruder remained on the systems.
TJX said it notified federal authorities Dec. 22, and on Jan. 3, TJX officials and Secret Service agents met with banks and payment card and check processing companies to discuss the computer intrusion.
The company issued a news release Jan. 17 disclosing the breach but did not say how much data was stolen.
TJX is facing an investigation by the Federal Trade Commission and lawsuits from individuals and banks accusing it of failing to do enough to safeguard private data and of delaying disclosure of the problem.
The company said in Wednesday's filing that its forensic investigation of the intrusion is ongoing and it is continuing to work to strengthen and protect its computer systems.
© 2009 CBS Interactive Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report. TJX Cos., the owner of about 2,500 retail stores, including T.J. Maxx, Mashalls and HomeSense, said in a regulatory filing late Wednesday that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been masked — stored as asterisks rather than numbers.
But TJX acknowledged it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX's encryption software and could have known how to unscramble the information.
TJX Companies Inc stated on its Web site early in 2007 that they discovered the "unauthorized intrusion in mid-December 2006" and the company believes it began in May 2006 with customer data compromised from then until December 2006, CBS News financial adviser Ray Martin reported.
In addition, TJX deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected.
On The Early Show Friday, financial author and radio host Dave Ramsey offered advice to help you avoid becoming a victim of identity theft. To watch, .
"There is a lot of information we don't know, and may never be able to know, which is why this investigation has been so laborious," TJX spokeswoman Sherry Lang said on Thursday.
The company provided an update of its investigation in a regulatory filing made after business hours Wednesday.
TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003. TJX says it didn't find out about the breach until about three months ago.
Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the Securities and Exchange Commission. TJX did not give estimates of the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003 to June 28, 2004.
TJX said in the filing that "substantially all stolen data" from the latter period "were deleted in the ordinary course of business subsequent to the believed theft but prior to discovery of computer intrusion."
Lang said TJX was investigating why information stolen during the initial nine-month period in 2003 wasn't been routinely deleted.
The filing also says, "We believe that the intruder had access to the decryption tool for the encryption software utilized by TJX."
The filing also said another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.
The filing gives the first detailed account of the breach initially disclosed in January by Framingham-based TJX, the owner of T.J. Maxx, Marshall's and other stores in North America and the United Kingdom.
The filing says the company "does not know who took this action, and whether there were one or more intruders involved." Also unknown is whether there was a single continuing breach, or multiple, separate intrusions.
Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards. The gift cards had been purchased from Wal-Mart stores, and were used to acquire electronics and jewelry at Wal-Mart's Sam's Club warehouse stores.
TJX's Lang said Thursday that the company could not yet confirm whether the data used in those thefts originated at TJX.
Gainesville, Fla. police have said they believe the Florida suspects bought the card numbers from someone else, and weren't the TJX hackers.
In Wednesday's filing, TJX said for the first time that Dec. 18, 2006, was the date it first learned that there was suspicious software on its computer system.
TJX said it believes hackers invaded its systems in July 2005, on later dates in 2005 and also from mid-May 2006 to mid-January 2007. The company said no customer information was stolen after Dec. 18, one day before it hired General Dynamics Corp. and IBM Corp. to investigate. By Dec. 21, those investigators determined that the computer systems had been breached and that an intruder remained on the systems.
TJX said it notified federal authorities Dec. 22, and on Jan. 3, TJX officials and Secret Service agents met with banks and payment card and check processing companies to discuss the computer intrusion.
The company issued a news release Jan. 17 disclosing the breach but did not say how much data was stolen.
TJX is facing an investigation by the Federal Trade Commission and lawsuits from individuals and banks accusing it of failing to do enough to safeguard private data and of delaying disclosure of the problem.
The company said in Wednesday's filing that its forensic investigation of the intrusion is ongoing and it is continuing to work to strengthen and protect its computer systems.
Popular on MoneyWatch
- Reverse cell phone lookup service is free and simple
- TGI Fridays nailed for doctoring booze
- Amy's Baking Company could face legal 'nightmare'
- Student debt repayment options offer hope
- GM recalling 27K Cadillac SUVs; Regulators: Wheels can fall off
- Student loan defaults rising despite a way out
- Turn off Windows 8 with one click
- Top 10 professional life coaching myths
Sad shame she couldnt have the decency to leave the babies in a safer, warmer place. Shes not fit to mother an animal it looks like. hmmpff
I agree with those here who wonder why transactions attached to the credit card numbers were stored by the corporation for so long. Will be interesting to hear the explanation.
Posted by topblknavy at 04:59 PM : Mar 29, 2007
its because they collect this data and never delete it, their data base just gets larger and larger! ...but if you don't have a "nonsecure" credit card it doesn't matter if your info is stoled because by (Federal) law you are not responsible for it (some cards only responsible for $50). Just the hassle of getting it all sorted out with your credit card company. shouldn't even make it to your credit report.