45 Million Credit Cards Hit By Hackers

Discount Retailer TJX Says Data From 45.7M Cards Stolen; Transactions Date Back To 2003

(CBS/AP)  Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX's customer information in a security breach that the discount retailer disclosed more than two months ago.

TJX Cos., the owner of about 2,500 retail stores, including T.J. Maxx, Mashalls and HomeSense, said in a regulatory filing late Wednesday that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been masked — stored as asterisks rather than numbers.

But TJX acknowledged it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX's encryption software and could have known how to unscramble the information.

TJX Companies Inc stated on its Web site early in 2007 that they discovered the "unauthorized intrusion in mid-December 2006" and the company believes it began in May 2006 with customer data compromised from then until December 2006, CBS News financial adviser Ray Martin reported.

In addition, TJX deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected.

---

On The Early Show Friday, financial author and radio host Dave Ramsey offered advice to help you avoid becoming a victim of identity theft. To watch, click here.

---

"There is a lot of information we don't know, and may never be able to know, which is why this investigation has been so laborious," TJX spokeswoman Sherry Lang said on Thursday.

The company provided an update of its investigation in a regulatory filing made after business hours Wednesday.

TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003. TJX says it didn't find out about the breach until about three months ago.

Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the Securities and Exchange Commission. TJX did not give estimates of the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003 to June 28, 2004.

TJX said in the filing that "substantially all stolen data" from the latter period "were deleted in the ordinary course of business subsequent to the believed theft but prior to discovery of computer intrusion."

Lang said TJX was investigating why information stolen during the initial nine-month period in 2003 wasn't been routinely deleted.

The filing also says, "We believe that the intruder had access to the decryption tool for the encryption software utilized by TJX."

The filing also said another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver's license numbers.

The filing gives the first detailed account of the breach initially disclosed in January by Framingham-based TJX, the owner of T.J. Maxx, Marshall's and other stores in North America and the United Kingdom.

The filing says the company "does not know who took this action, and whether there were one or more intruders involved." Also unknown is whether there was a single continuing breach, or multiple, separate intrusions.

Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards. The gift cards had been purchased from Wal-Mart stores, and were used to acquire electronics and jewelry at Wal-Mart's Sam's Club warehouse stores.

TJX's Lang said Thursday that the company could not yet confirm whether the data used in those thefts originated at TJX.

Gainesville, Fla. police have said they believe the Florida suspects bought the card numbers from someone else, and weren't the TJX hackers.

In Wednesday's filing, TJX said for the first time that Dec. 18, 2006, was the date it first learned that there was suspicious software on its computer system.

TJX said it believes hackers invaded its systems in July 2005, on later dates in 2005 and also from mid-May 2006 to mid-January 2007. The company said no customer information was stolen after Dec. 18, one day before it hired General Dynamics Corp. and IBM Corp. to investigate. By Dec. 21, those investigators determined that the computer systems had been breached and that an intruder remained on the systems.

TJX said it notified federal authorities Dec. 22, and on Jan. 3, TJX officials and Secret Service agents met with banks and payment card and check processing companies to discuss the computer intrusion.

The company issued a news release Jan. 17 disclosing the breach but did not say how much data was stolen.

TJX is facing an investigation by the Federal Trade Commission and lawsuits from individuals and banks accusing it of failing to do enough to safeguard private data and of delaying disclosure of the problem.

The company said in Wednesday's filing that its forensic investigation of the intrusion is ongoing and it is continuing to work to strengthen and protect its computer systems.

[seangia-2009]

Well. identity theft is here and it is not going anywhere. That is because it is so easy for other people to gather your personal information. And they don't even have to be a hacker. Just take a temp job at a temp agency. And you'll have access to personal information ranging from others' dental info to their mortgage applications. For instance, Iron Mountain - a record keeping company - hires temp employees to work for a short period of time. These temp employees don't even need to pass drug tests or background checks. And they are hired to process those personal info.

[seangia-2009]

Well. identity theft is here and it is not going anywhere. That is because it is so easy for other people to gather your personal information. And they don't even have to be a hacker. Just take a temp job at a temp agency. And you'll have access to personal information ranging from others' dental info to their mortgage applications. For instance, Iron Mountain - a record keeping company - hires temp employees to work for a short period of time. These temp employees don't even need to pass drug tests or background checks. And they are hired to process those personal info.

[Syndicate]

If I become the victim of Identity theft I will sue the hell out of any company that gives them credit in my name.

[ladyephesus1]

hmm..sounds like a young girl that is probably being raped by her a family member or by a no good boyfriend that wants it hush hush.
Sad shame she couldnt have the decency to leave the babies in a safer, warmer place. Shes not fit to mother an animal it looks like. hmmpff

[puzzler125]

Sure, I'll pay with cash 100% of the time. Then I'll never be able to buy a home, get a mortgage, after having established an excellent rating, get an excellent rate on my student loans, and, oh yeah, get a car loan at a really good APR. It is not realistic, nor financially healthy actually, to pay for everything with cash. Also, when I mail-order by credit card American Express and Visa back me up if I have a problem!

[bobbycya]

You get the max for the minimum................

[silver9991]

Cantshutup: Lots of people use credit cards responsibly. They pay them off every month. Keep in mind most hotels won't accept reservations without a credit card, even if you pay in person when you arrive. (Maybe you should re-evaluate your handle?) Personally I prefer to do most of my transactions in cash, but this is not always practical.

I agree with those here who wonder why transactions attached to the credit card numbers were stored by the corporation for so long. Will be interesting to hear the explanation.

[passerby2]

they should have a law prohibiting these business from keeping our information on their system once they've gotten paid. I don't see any reason why they should be keeping our information on their systems.

[jow1998]

Its not TJ MAXX that has 45 million customers ...its TJX the company that owns HomeGoods, Marshalls, TJ Maxx AJ Wright, and so on....get your facts straight before you goin running your mouth ....and i agree -use cash then you dont have to worry about anything being stored anywhere...and as far as the drivers license # go that was to track repeat returners or refund fraud artists as i like to call them....think before you buy think before you use your card....anywhere you go any system you use your info is stored somewhere...BE SMART and you wont have any problems!

[mrvolleyba11]

I find it hard to believe T. J. Maxx HAS 45 million customers... :-)
Posted by topblknavy at 04:59 PM : Mar 29, 2007

its because they collect this data and never delete it, their data base just gets larger and larger! ...but if you don't have a "nonsecure" credit card it doesn't matter if your info is stoled because by (Federal) law you are not responsible for it (some cards only responsible for $50). Just the hassle of getting it all sorted out with your credit card company. shouldn't even make it to your credit report.

[mrvolleyba11]

Why are these companies holding on to all this credit info is the real question (and problem)! if you must maintain credit card info maintain it on a system that is NOT hooked into any network or phone lines and then the problem is solved!

[hypnotoad72]

Also, just what does "cash only" have to do with any of this? Is it wrong to use a card, wisely, and pay it off on time until some greedy-arse leech finds a way to take your data and rack up $8000 in credit? That's not the cardholder's problem, period. People CAN use credit cards responsible, so don't blindly label people.

[hypnotoad72]

Security, folks. This is the ONE area, regardless of industry, where you do not want to underpay, rest on your laurels, or let it be a one-man show.

I agree, there is a lawsuit in the making.

I also agree - stern punishment for ID theft as a deterrent. It won't stop everybody, but *** straight it'll slow some of them down and bother to think about consequences (you know, the things the people who helped make the ID thievery career choice a viable one!)

Still, TJ Maxx is a symptom of a much bigger problem. I hope that, one day, those who caused it (sloppy computer program and operating system writers) will have to pay the penalty for releasing sub-prime software riddled with holes and oversights that allow these ****ards to rip YOU off. TJ Maxx isn't exactly thrilled about this incident either and to blame them as the cause of all ills is dumb.

I find it hard to believe T. J. Maxx HAS 45 million customers... :-)

[killtheliars]

easy solution: capital punishment for anyone who takes what is not rightfully theirs, and no exceptions for minors either

[kiwi_chick]

what i want to know is, why do these f**king moron businesses keep our confidential data on their systems?

[mnelsonix]

It's all Bush's fault...lol. No such thing as a secure database. This kind of theft is only going to get worse. Keep a close eye on your statements and shred your mail. What else can we do?

"I like to use the google," GWB.

[jshmks]

That's why i don't shop at TJ Maxx hahahahahaha

[gunnerv1]

Sounds like a law suit in the making. (It's all Bushs fault)