Massive TJX Security Breach Reveals Credit Card Data

The TJX Companies, a large retailer that operates more than 2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United States and abroad.

The company does not know the extent of the breach, which was first discovered in December 2006. However, hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico in 2003 as well as transactions between May and December 2006, according to a company statement.

Banking officials in Massachusetts say the TJX breach is behind a recent warning by Visa to banks in Massachusetts, which have contacted customers in recent days and had to reissue thousands of ATM and debit cards. In the end, the hack may affect a wide range of credit card companies and thousands of consumers in America and in countries like the United Kingdom and Ireland, experts say.

TJX said it is working with IBM and General Dynamics to investigate the breach, which is believed to have occurred on computer systems that process and store information on customer transactions for T.J. Maxx, Marshalls, HomeGoods and A.J. Wright. Transactions from T.K. Maxx in the United Kingdom and Ireland may have also been exposed in the breach.

TJX said it knows of “a limited number of credit card and debit card holders whose information was removed from the system,” and has provided that information to credit card companies. TJX is also working with law enforcement, including the U.S. Department of Justice, U.S. Secret Service and Royal Canadian Mounted Police, TJX said in its statement.

The company said it does not yet have enough information to determine the extent of the breach or what other customer information may have been compromised, nor can it quantify the financial impact of the breach.

Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach. Those banks have had to reissue debit cards in response, said Bruce Spitzer, director of communications at the Massachusetts Bankers Association (MBA).

However, the MBA is still surveying its membership of 205 banks and credit unions. The effect of the TJX hack could be much wider and international in scope, he said.

Fitchburg Savings Bank in Fitchburg, Mass., has had to reissue 1,300 cards to customers whose account information was stolen, said Linda Racine, an executive vice president at the bank.

Fitchburg Savings was contacted by Visa on Monday night about the compromised customer accounts. However, the credit card company would not reveal the identity of the retailer that was the source of the breach, citing company rules, Racine said.

Fitchburg savings has sent letters to customers and reissued cards for affected accounts. However, no Fitchburg Savings customers appear to have been victims of fraud so far, she said.

The TJX breach recalls other recent hacks, including BJ’s wholesale club and another, reportedly at OfficeMax in 2005. Those breaches, as well as incidents like the hacking of card processor Card Systems, prompted the payment card industry to issue new rules, dubbed the PCI, about how sensitive data is stored and transmitted on internal systems.

However, Spitzer of the MBA said that banks still bore the brunt of security breaches at retailers because they have to pay to reissue cards to customers and absorb the financial losses from unauthorized account withdrawals. Small banks and credit unions often have trouble absorbing those costs, though they are not at fault in the breach itself, Spitzer said.

Spitzer took issue with the delay between the time TJX learned of the breach and when his organization and banks were notified as well as with Visa’s policy of keeping the source of the breach a secret.

“We would have liked to know sooner,” he said.

MBA is working with state and federal lawmakers to hold card companies and retailers more accountable for the costs of security lapses, he said.