Computer hackers swiped information from at least 45.7 million credit and debit cards of discount retailing giant TJX customers over the course of several years, the company confirmed this week.
TJX, the parent company of Marshalls, T.J. Maxx and several other national retail chains, first reported in January that hackers had breached a system that handles its credit card, debit card and check transactions in the United States and Puerto Rico.
Although officials from the Framingham, Mass.-based retail firm did not initially say how many customers had their data stolen by the computer hackers, the company did confirm the breach happened in May 2006 and involved credit card information dating back to 2003.
It was not until this week’s filing with the Securities and Exchange Commission that consumers were provided the first detailed accounts of the extent of the breach.
In addition, another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver’s license numbers, the company stated, adding that the breach could be as far-reaching as the United Kingdom and Ireland.
Just last week, police charged six people with using credit card numbers stolen from a TJX database to buy about US$1 million in merchandise with gift cards.
Across the Country
About three-quarters of the stolen cards had either already expired at the time of the theft, or data from their magnetic strips had been masked, according to TJX, which owns of about 2,500 stores.
However, the extent of the damage may never be known because many of the files had been deleted by TJX in the normal course of business, the company stated.
TJX stores accept the major credit card brands, including Visa, MasterCard, American Express and Discover.
Visa in January said it provided information about the affected accounts to the banks that issued its cards so they could take steps to protect their consumers. Visa also noted that consumers are not responsible for any fraudulent purchases.
Although TJX is unsure how the hackers gained access to its system, the increase of personal data being moved online has also increased the risk of losing personal information.
“In recent years, the list of companies and organizations reporting breaches has increased dramatically,” Rob Ayoub, an industry manager of network security at research firm Frost & Sullivan, told the E-Commerce Times.
Reports of attacks on personal data are likely just skimming the surface of what is actually happening, he added.
Over the past few years, there have been a number of large-scale breaches, including the disappearance of backup tapes containing the Bank of America credit card information of 1.2 million federal workers and the theft of more than 300,000 customers’ personal information at data broker LexisNexis.
Nevertheless, it isn’t always big business that hackers are focusing on. A number of large universities also have been the victims of theft.
The seeming increase in incidents of data and identity theft is likely a combination of factors, including greater awareness of the issues and stiffer penalties for companies that do not readily disclose the breaches, Ayoub concluded.