TJX releases more details on massive data breach By Greg Turner/Daily News staff Thursday, March 29, 2007 - Updated: 08:52 AM EDT
FRAMINGHAM - Hackers stole at least 45.7 million customer payment card numbers from The TJX Cos. Inc.'s computer systems over a two-year period, the retail giant revealed in a regulatory filing.
The company halted the massive data theft on Dec. 18 when it "learned of suspicious software on our computer systems," TJX said in its annual report filed late Wednesday with the U.S. Securities and Exchange Commission.
The filing made public for the first time new details about the data theft. TJX first announced the computer intrusion on Jan. 17 and provided an update on its investigation on Feb. 18.
TJX also reported the theft of personal information -- including names and addresses -- of about 451,000 individuals from merchandise return transactions made primarily from the last four months of 2003 and May and June of 2004. TJX said it is notifying these people directly by letter.
TJX said that about three-quarters of the payment cards had either expired at the time of the theft, or data from their magnetic strips had been masked -- stored as asterisks rather than numbers.
But TJX acknowledged it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX's encryption software and could have known how to unscramble the information.
In addition, TJX deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected.