T.J. Maxx theft believed largest hack ever

TJX also remains uncertain of the theft’s size because it deleted much of the transaction data in the normal course of business between the time of the breach and the time TJX detected it.

“There is a lot of information we don’t know, and may never be able to know, which is why this investigation has been so laborious,” TJX spokeswoman Sherry Lang said.

TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from transactions dating to January 2003. TJX didn’t find out about the breach until last Dec. 18, when it learned of “suspicious software on our computer systems.”

The company then hired outside investigators and notified federal authorities before issuing a Jan. 17 news release. TJX says the monthlong delay in disclosing the breach allowed it to work with security experts to contain the problem.

TJX said in the filing that “substantially all stolen data” from transactions in the period Nov. 24, 2003, to June 28, 2004, were deleted. Lang said the company was investigating why information stolen earlier in 2003 wasn’t routinely deleted.

Deleting such information after transactions “should be standard practice” to guard against theft, said Taneja, the security expert, but many firms nevertheless don’t follow through.
TJX’s filing says the company “does not know who took this action, and whether there were one or more intruders involved.”

How far scams like the one in Florida may have spread because of the TJX breach is unknown.
“It’s been all over the world,” said Bruce Spitzer, spokesman for the Massachusetts Bankers Association. “It’s the downstream transactions we’ve been hearing about,” involving thieves who buy stolen data from others, often hackers in other countries.

On Jan. 24, 60 of the 205 banks in the state association reported they had been contacted by credit card companies about cards that had been compromised. The next time the association conducts such a survey, Spitzer expects “it will be near 100 percent” based on recent reports from member banks.

A spokesman for the American Bankers Association said the group had not been tracking such data.

TJX faces an investigation by the Federal Trade Commission, which could fine the company, and lawsuits accusing the firm of failing to safeguard private data.

TJX is the parent company of stores including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright in the U.S., Winners and HomeSense in Canada and T.K. Maxx in Britain.

MORE FROM SECURITY

Security Section Front

The biggest security threats in 2010 Citigroup denies computer-system breach Twitter temporarily hacked, now up White House picks new cyber czar Pentagon: Insurgents intercepted spy videos Privacy watchdog files complaint against Facebook Ohio court: Cell phone searches require warrant Nearly 1 in 3 older teens gets ‘sexting’ messages Australia to block obscene, crime-linked sites After criticism, Facebook tweaks settings again Security Section Front   Add Security headlines to your news reader: