Want CNET to notify you of price drops and the latest stories?

T.J. Maxx hack exposes consumer data

Intruders accessed systems used to process, store customer transaction data, putting unspecified number of shoppers at risk of identity fraud.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
TJX, operator of discount chains including T.J. Maxx and Marshalls, on Wednesday said its computers were hacked, putting shoppers at risk of identity fraud.

Intruders accessed systems used to process and store customer transaction data, Framingham, Mass.-based TJX said in a statement. The retailer has identified some customer information that was taken, but the full extent of the data theft and number of affected customers is yet unknown, it said.

"TJX is conducting a full investigation of the intrusion," it said in the statement. "The company is committed to providing its customers with more information when it becomes available."

The intrusion involves systems that handle credit card, debit card, check and return transactions for T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and the Winners and HomeSense stores in Canada, TJX said. The exposed data covers 2003 and the period from mid-May through December 2006, it said.

It is also possible that transaction data for T.K. Maxx stores in the U.K. and Ireland and Bob?s Stores in the U.S. was exposed in the breach, TJX said.

"It is pretty obvious that it was a very well orchestrated, targeted attack," said Avivah Litan, an analyst with Gartner. Litan suspects the perpetrators are the same people who have broken into systems at other retailers. "These people are piecing together information on millions of Americans. It is quite scary."

TJX discovered the intrusion in December and reported it to authorities in the U.S. and Canada as well as the major credit card companies and its payment processors. At the request of law enforcement, the breach was kept quiet until Wednesday, TJX said.

The breach appears broad. In Massachusetts, 28 banks have been contacted by credit card companies indicating that some of their customers have had personal information that may have been exposed, the Massachusetts Bankers Association said in a statement Thursday. That number is likely to grow as more banks report into the association, it said.

The TJX breach is the latest in a string of incidents that have exposed sensitive consumer information. Retailers are often affected; two years ago, transaction data was stolen from 108 DSW shoe stores. In another incident, a problem with point-of-sale software at Polo Ralph Lauren compromised the credit card data of as many as 180,000 people.

Major credit card companies have launched security initiatives focused on retailers. Store owners should not store card information, but Visa and MasterCard have found that many point-of-sale terminals and other transaction software store all the data anyway, sometimes unbeknownst to the retailer.

In December, Visa announced it would offer $20 million in incentives for merchants and transaction service providers to comply with credit card industry security rules, called the Payment Card Industry Data Security Standard. As part of those rules, merchants have to limit data storage and use encryption.

"We think it's a little odd that they would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary," said Daniel Forte, chief executive of the Massachusetts Bankers Association.

Though credit card companies instituted common security rules for card-accepting businesses two years ago, only about one-third of the biggest merchants are compliant, Visa said in December. Smaller businesses are even farther behind, the company added.

Critics argue that credit card companies are taking the wrong approach.

"It is time that the banks own up to this problem and stop shifting the responsibility to the retailers. It is impractical to expect 5 million retailers to become security experts. It is much more practical to update the payment systems," Gartner's Litan said.

TJX has hired General Dynamics and IBM to assess the intrusion, identify compromised data and secure its systems, it said.

"We have been working diligently to further protect our customers and strengthen the security of our computer systems, and we believe customers should feel safe shopping in our stores," Ben Cammarata, TJX's acting chief executive officer, said in the statement.

TJX operates 826 T.J. Maxx, 751 Marshalls, 271 HomeGoods, and 162 A.J. Wright stores, as well as 36 Bob's Stores, in the United States. In Canada, the company runs 184 Winners and 68 HomeSense stores, and in Europe, 212 T.K. Maxx stores.

Concerned TJX customers can call a helpline at 866-484-6978 in the United States, 866-903-1408 in Canada and 0800-77-90-15 in the U.K. and Ireland. TJX also provides tips for customers to prevent identity fraud on its Web site.