Complain about a product or service

Hackers Hit T.J.Maxx, Marshalls

Customer Data Exposed in Major Data Breach

By Martin H. Bosworth
ConsumerAffairs.com

January 18, 2007

TJX • TJX To Pay Mastercard $24 Million For Data Breach • TJX Settles with FTC Over Data Breach • TJX Settles with Banks over Data Breach • TJX Settles Visa Suit over Data Breach • Attorneys General Oppose TJX Data Breach Settlement • TJX Data Breach Victims Reach 94 Million • TJX Data Breach Settlement Has Strings Attached • Wireless Hackers Suspected In TJ Maxx Breach • TJX Data Breach Called "Biggest Ever" • Data From T.J. Maxx Breach Connected To Florida Fraud • TJX Data Breach Bigger than Earlier Estimates • Massachusetts, Rhode Island Open TJX Probes • TJX Sued for Loss of Consumer Data • Hackers Hit T.J.Maxx, Marshalls • Congress Takes On Data Security --- • TJX Customers: What To Do

TJX Companies Inc., the corporate parent of retail chains T.J. Maxx and Marshalls, was hit with an "unauthorized intrusion" that exposed customers' credit and debit card data to the hacker, the company said today.

TJX, based in Framingham, Massachusetts, detected the hack in mid-December 2006. The company claimed it did not have a full estimate of the number of customers affected, or what the potential financial fallout may be.

The TJX breach may be responsible for warnings issued by Visa to banks throughout Massachusetts, as well as a wave of reissues of ATM and debit cards to customers.

The hack itself involved the compromise of credit and debit card data from sales at TJX store chains in the U.S., Canada, and Puerto Rico through 2003, and again in the latter half of 2006. TJX said it is investigating the possibility that the breach may extend to its retail chains in the U.K. and Ireland.

According to a press release, TJX has identified "a limited number of credit card and debit card holders whose information was removed from its system," and is providing this information to credit card issuers.

TJX also informed the Justice Department and local law enforcement agencies, as well as contacting IBM and General Dynamics to assist it with improving its security procedures and preventing further breaches.

The company has also set up a toll-free number (866-484-6978) for customers who have questions, and is also taking information on its Web site.

"We are deeply concerned about this event and the difficulties it may cause our customers," Ben Cammarata, chairman and acting CEO of TJX, said. "We want to assure our customers that this issue has the highest priority."

Analysts were dismissive of the long-term effects of the breach, saying it would not significantly hurt the company's earnings, and that their biggest concern was making sure customers' concerns were addressed.

Jefferies analyst Timothy Allen said that TJX should offer customers "personal phone calls" or "discount coupons" to ease their worries.

Long-Term Repercussions

Jeffries' advice aside, the effects of data breaches such as the TJX attack can often remain hidden for months, or never be detected at all.

Citibank customers are still puzzling over a massive data breach in March 2006 that caused thousands of Visa-branded Citibank cards to be canceled and reissued. Although the breach was traced to a third-party payment processor, neither Visa nor Citibank ever came completely clean with the details of the event.

Infamous payment processor CardSystems was at the center of a huge data breach that exposed the account information of 40 million Visa and MasterCard users, resulting in the loss of 260,000 users' data. CardSystems was eventually shut down and sold to Pay By Touch, a California-based biometrics payment processor.

Some speculated that the CardSystems breach may have been connected to a wave of unauthorized "spam charges" that flooded people's credit and debit cards in late 2005. No culprit was ever found.

Even if consumers act smartly by canceling their cards and putting fraud alerts on their accounts, it won't always solve the problem. Smart hackers will take stolen credit card information and encode it on blank cards, such as hotel key cards, and then use the "clone" cards to make purchases too small to be detected as fraudulent.

Debit cards are also much more vulnerable to fraud than credit cards. Federal law limits consumer liability for a fraudulent transaction to no more than $50, and many banks will waive any fraudulent charges instantly. There is no equivalent law for debit cards, however, and though banks will often negate fraudulent debit charges as well, it's no sure thing.

The end result is that consumers are often left completely in the dark when data breaches occur, wondering if they dodged a bullet, or if the inconvenience and frustration of fraud is simply waiting to hit them at a later date.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |