Banks Say Scope Of TJX Breach Doubles First Estimates

This January, the company revealed a large-scale intrusion of customer credit card information dating back to July 2005. At the time, the business, which operates a chain of more than 2000 retail stores including TJ Maxx and Marshal's, reported 45 million credit card accounts might be compromised by the theft. In a lawsuit issued today by a compendium of affected banks, the number of affected cards has allegedly more than doubled, to 94 million cards from 46 million cards. The breach may wind up costing TJX a billion dollars.

The breach compromised personal data on 65 million Visa accounts and 29 million MasterCard accounts. Some reports estimate the financial damage to Visa ranges from $68 million to $83 million. Calls to Visa were not immediately returned. MasterCard spokesman Chris Harrall declined to comment, citing the ongoing nature of the investigation.

Gary Fish, CEO of Kansas City, Mo.-based solution provider Fishnet Security, says its difficult to make generalizations regarding what a company could or should have done to prevent a breach. "The reality of this matter is the ongoing threat facing large organizations," he says. "The goal is to establish information security practices and technologies at the core of their business infrastructure and help them manage security solutions."

TJX says the hackers entered through holes in its Wi-Fi network. The company was cited in a report by Office of the Privacy Commissioner of Canada for using an outdated encryption protocol, the Wired Equivalent Privacy (WEP). TJX decided to implement a security update in late September 2005, before the breach occurred. The new security standard is Wi-Fi Protected Access (WPA).

Sponsored post

According to the report, two hackers initiated the breach in Miami at two Marshall's stores. The report states the hackers entered by aiming an antenna outside the store and using a laptop to crack the WEP encryption, which eventually led them into TJK's customer database.

Repeated calls to TJX were not immediately returned.