CONSUMER NEWS RECALLS COMPLAINT FORM SCAM ALERTS

Small Claims Guide \| Class Actions \| Lemon Law \| FAQ \| Resources \| Newsletters \| Spanish
Automotive Education Electronics Family Finance Health Homeowners Shopping Travel

TJX Data Breach Called "Biggest Ever"

46 Million Customers' Data Exposed to Identity Thieves

By Martin H. Bosworth
ConsumerAffairs.com

March 29, 2007

TJX
• TJX To Pay Mastercard $24 Million For Data Breach
• TJX Settles with FTC Over Data Breach
• TJX Settles with Banks over Data Breach
• TJX Settles Visa Suit over Data Breach
• Attorneys General Oppose TJX Data Breach Settlement
• TJX Data Breach Victims Reach 94 Million
• TJX Data Breach Settlement Has Strings Attached
• Wireless Hackers Suspected In TJ Maxx Breach
• TJX Data Breach Called "Biggest Ever"
• Data From T.J. Maxx Breach Connected To Florida Fraud
• TJX Data Breach Bigger than Earlier Estimates
• Massachusetts, Rhode Island Open TJX Probes
• TJX Sued for Loss of Consumer Data
• Hackers Hit T.J.Maxx, Marshalls
• Congress Takes On Data Security
---
• TJX Customers: What To Do
• Consumer Complaints

Nearly 46 million TJX customers had their credit and debit card data exposed in an ongoing breach that lasted over 18 months, the company said today. The company the theft included personal data it had stored on 455,000 individuals, including drivers' license numbers and military identification numbers.

The new revelations led Gartner research analyst Avivah Litan to say that the TJX breach had "set a record" for the amount of personal information exposed, and was already being calling the "biggest ever."

The previous recordholder was CardSystems, the payment processor that had stored data on 40 million Visa and MasterCard users, and was hit by an outside hack in 2005. CardSystems, later sold to biometric payments processor PayByTouch, settled Federal Trade Commission (FTC) charges that it had failed to adequately protect the data.

TJX, the parent company of the TJ Maxx, Marshalls, Winners, and HomeSense shopping chains, reported that computer hackers had broken into its systems on Dec. 18, 2006, and had accessed customer card information from their payment processing systems. The company first hired specialists from IBM and General Dynamics to investigate the incident, then contacted local and federal law enforcement. The public was finally made aware of the breach on Jan. 13, 2007.

It was later determined that the first breach had occured in July 2005, and that TJX's networks had suffered similar, albeit smaller, breaches in 2003 and 2004.

The hackers had gained access to the TJX network and were siphoning data even before it was encrypted for storage, and were apparently taking extra efforts to ensure their actions would not be detected by regular security sweeps. The hackers apparently had traps set up to pick up data during the card issuer's approval process, as well as access to the decryption key TJX used to read its data.

TJX was hit with investigations from multiple states, including Massachusetts and Rhode Island, for failing to secure its customer data and more aggressively notify affected customers. Massachusetts Attorney General Martha Coakley -- herself a victim of identity theft in an unrelated case -- said that she would crack down more heavily on cases of identity theft and fraud during her tenure.

The FTC is thought to be investigating TJX in the wake of the breach and the company faces at least one class-action lawsuit, and a number of individual lawsuits.

Since the breach was disclosed, banks have reported multiple instances of fraud utilizing the card numbers acquired during the hack. Most recently, Florida authorities arrested several individuals who had encoded "clone" credit cards with numbers acquired in the breach, then used the fake cards to buy multiple gift cards from Wal-Mart, which they then used to purchase millions in expensive merchandise.

The suspects in the Florida fraud case may have gained the TJX credit card numbers through transactions in the "underground economy," which includes secret Internet chat rooms where hackers sell and buy stolen personal information. A full set of personal data -- name, address, and Social Security number -- can sell for as little as $14, and credit and debit card numbers usually go for as little as $1, according to a study released by Symantec.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

July 6 2008

Print, mail, etc.

FREE CONSUMER NEWSLETTERS

The Daily Consumer
Afternoons M-F
Sign up now!

Consumer News & Alerts
Every Sunday
Sign up now!

Knowledge is free.
Knowledge is power.

Back to the top |

Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice. ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof.