Retail giant TJX, the parent company of T.J. Maxx, Marshalls and several other retailers, confirmed Wednesday that credit- and debit-card information on at least 45.7 million of its customers was stolen in 2003.
Although TJX said 75 percent of the cards had either expired or had masked magnetic stripe data at the time of the theft, the incident represents the largest credit-card theft in history and, once again, highlights the consequences for companies that don't do enough to secure cardholder data.
In a Wednesday 10-K filing, TJX said credit card data was stolen between January 2003 and June 2004 from its systems in Framingham, Mass., where credit-card and merchandise-return transaction information is stored.
The 45.7 million number refers to cards that were compromised from January 2003 to November of the same year, and TJX didn't provide estimates for the subsequent six-month period, which suggests that the actual number of compromised cards could be higher.
"Substantially all stolen data from these periods were deleted in the ordinary course of business subsequent to the believed theft but prior to discovery of computer intrusion," according to the filing.
TJX admitted that it may never know the full scope of the breach because of the sophisticated techniques that the hackers used to cover their tracks.
While TJX had installed masking and encryption technology on its Framingham system, the thieves were able to pilfer credit card information during the transaction approval process, in which data is transmitted to payment card issuers without encryption, according to the filing.
Attackers also had access to the decryption tool for the encryption software that TJX had installed to protect the Framingham system, the company said. "Due to the technology utilized by the intruder, we are unable to determine the nature or extent of information included in these files," according to the filing.
TJX said it doesn't know the extent of fraud related to the breach, although Florida authorities earlier this month charged six people in connection with using credit card numbers from the TJX breach to fraudulently buy more than $8 million in goods from Wal-Mart stores in that state.
TJX also revealed that it's being sued by several banks and other individuals in connection with the breach, and the company suggested that payment-card companies and associations -- such as Visa and MasterCard -- may seek to levy fines as a result of the theft.
Since the breach was announced in January, experts have speculated that TJX could face heavy fines from card companies for improperly storing customer data on its networks, in violation of the Payment Card Industry Data Security Standard (PCI DSS).
But even if data is encrypted and attackers have access to the deciphering tool, then PCI won't help, said Barry Johnson, director of risk mitigation at igxglobal, a Rocky Hill, Conn.-based solution provider.
PCI would come into play in the TJX incident in terms of what access controls TJX had in place to restrict access to the data, according to Johnson. "It's great that they had encryption on the system, but there's no reason someone should have been able to access that database in the first place," he said.
TJX spokeswoman Sherry Lang didn't return a phone call seeking comment.
In the filing, TJX, which has more than 2,500 stores worldwide, provided a detailed timeline on the breach, which it disclosed in January.
TJX discovered that its systems had been compromised by unknown attackers on Dec. 18, 2006, and the company immediately hired incident response teams from General Dynamics and IBM to assist with the investigation.
The investigation found that intruders first broke into TJX's systems in July 2005 and did so again from mid-May 2006 to mid-January 2007. However, TJX said no customer data was stolen after the breach was discovered on Dec. 18, 2006.
The estimated $5 million that TJX spent on the investigation and security upgrades and legal fees led TJX to record a pretax charge of about $5 million, or 1 cent per share, for the fourth quarter of fiscal 2007, the company said in the filing.