Fighting Fit

Win a fitness package worth more than £3,000

Navigation - link to other main sections from here

Skip Navigation

From Times Online
March 29, 2007

TJX says 45.7 million card numbers stolen

Police are investigating a huge credit card heist affecting UK and US customers of the cut-price fashion chain

Jonathan Richards

TJX, the US retailer that owns the TK Maxx stores, revealed today that 45.7 million credit and debit card numbers had been stolen from its computer systems.

British and US police are investigating the theft, which took place over an 18-month period, and is believed to be the biggest card heist on record.

It affects purchases going back to December 2002, including some made by British customers at the company's 210 UK stores, for which details were stored on a system in Watford.

Read the SEC filing here.

Related Links

TJX said that it did not know now many British customers had been affected, or the extent of any fraud arising out of the stolen information, but that banks with which it has contracts had indicated that they had "preliminary evidence of possible fraudulent misuse" of the card details.

The Metropolitan Police, the Information Commissioner's Office and Visa Europe have all received intelligence on the theft, which is understood to have happened in the US and involved the thieves hacking into TJX's US and UK computer systems.

In a filing with the Securities and Exchange Commission, TJX said that its systems were first infiltrated in July 2005, and that the unauthorised access continued over an 18-month period.

The filing said another 455,000 customers who returned merchandise without receipts, and so had to provide personal data such as driving license numbers, had these details stolen as well.

TJX first discovered that there was suspicious software on its system in December and revealed it suspected numbers had been stolen in January, but has only today provided details of the full extent of the theft. It said it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX’s encryption software and could have known how to unscramble the information.

In addition, TJX deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected.

TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003.

Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards. These numbers may have been bought from the original hackers.

TJX is facing an investigation by the Federal Trade Commission and lawsuits from individuals and banks accusing it of failing to do enough to safeguard private data and of delaying disclosure of the problem.

They have for a number of years collected data on postcodes of UK customers as part of "their customer service". One wonders if this too has been stolen. Why have they been holding credit card data for this period of time?

John, Leeds, UK

That;s a mind boggling security lapse. Systems like that should be locked down and all ports closed not essential for transacting business; then those ports should be monitored for all traffic. I trust the security manager has been sacked. I would also hazard its been an inside job.

Neil Murphy, cromer,

Is there any particular reason TKX need to hold credit and debit card details for such a long period of time? They're just sitting ducks holding 45 million card details.

Matt, Manchester,

This article suggests that TJX used encryption software.

Many of the articles in US publications over the past year suggest that they didn't.

If they didn't, then they are negligent.

If they did, then we have a problem. For security purposes, our ePassports (and ID cards) here in the UK rely on (and will rely on, if we ever get ID cards) encryption software.

If it doesn't work, then the theft of 45.7m sets of ID data would just about clear out the UK.

So, note to editors. Did TJX use encryption software, yes or no? And if so, which encryption software? We don't want to use that supplier for our ePassports and ID cards.

David Moss, London, UK

In the US, TJ MAxx asks customers for their home address and phone number after every sale, which I've always considered an oddity amd not right. Why they do it is beyond me.

Jack Lee, Austin, TX USA

I hope that TK Maxx get prosecuted under the Data Protection Act.

Michael Cawood, Wrexham, Wales, UK

Only of online crime?

bill, bristol, UK

Have your say

* Required

Also in Technology

Also in Industry Sectors

heatmap

Need to Know

Top business stories, daily business video and interactive heatmap

Money Central

Woman putting pound coin in model house money box

House price crash: Five experts predict how far prices will fall

    Career & Jobs 

    Multiple Choice Test

    What are you like?

    Take our personality, verbal and numerical tests

    Ask the boss

    Hans Wijers/Ask The Boss

    AkzoNobel boss Hans Wijers has answered your questions. Read them here

    Find a lawyer

    Scissors cutting through red tape

    Need legal advice?

    Take the stress out of finding a lawyer to help your business. Let them find you with our new matching service

    Most Read

    Skip Most Read

    Today

    MOST COMMENTED

    Skip Editor's Pick

    Today

    MOST CURIOUS

    Skip Most Curious

    Today

    Focus Zone

    Need to Know

    Need to Know

    Industry sectors news at a glance. Interactive heatmap, video and podcast

    Social Entrepreneurs

    Social Entrepreneurs:

    The inside track on current trends in the charity, not for profit and social enterprise sectors

    James Bond

    James Bond:

    Read our exclusive 100 Years of Fleming and Bond interactive timeline, packed with original Times articles and reviews

    business travel

    Business Travel:

    Everything the Business Traveller needs to know to make a better trip

    previous next

    Business tools

    The Singapore skyline pictured at night

    Business City Guides

    Overseas contacts and local business information

    Business services

    Popular Searches on Times Online

    bollywood news | chess | dating | fantasy football 2008 | fashion | london film festival 2008 | mortgages | music | need to know | podcasts | recipes | redundancy | savings | sudoku | university guide | us election | wine

    Shortcuts to help you find sections and articles

    Classifieds 

    Cars

    Skip Cars of the Week

    Saab 9-3

    05/2005
    £13,500

    Bentley Continental

    08/2008
    £109,950

    Mini Cooper

    2006
    £10,750

    Car insurance

    Great car insurance deals online


    Jobs

    Skip Jobs of the Week
    Director of systems development - server based gaming industry

    £Excellent+ executive benefits
    Torres and Partners
    London

    Head of International Programme

    £49,229 - £62,035 pro rata
    Charity Commission
    London/Liverpool/Taunton

    Project Director (m/f)


    Alstom Power
    Europe

    Director Roles

    Six Figure
    Rolls Royce
    Midlands/Europe

    Properties

    Holidays

    Skip Travel of the Week

    Continental Airlines Vacation

    New Year in the USA!
    .

    Funway Holidays Int Inc

    Cruise the Islands of Hawaii - Pride of America


    Advertise your holiday property online

    List your property with two leading travel websites


    Travel insurance

    Great travel insurance deals online


    Place your advert now