Customer Data Breach Began in 2005, TJX Says

TJX's retail chains include clothing discounters T.J. Maxx and Marshalls. It operates more than 2,400 stores.
TJX's retail chains include clothing discounters T.J. Maxx and Marshalls. It operates more than 2,400 stores. (By Elise Amendola -- Associated Press)
By Ellen Nakashima
Washington Post Staff Writer
Thursday, February 22, 2007

Retail giant TJX, whose stores include discount clothing chains T.J. Maxx and Marshalls, said yesterday that a computer-security breach stretched back 10 months earlier than the company originally thought, compromising credit and debit card data, drivers' license numbers, and names and addresses.

The announcement underscores a trend of security breaches involving sensitive credit card data and reflects failures to properly secure computer systems, to notify customers when breaches occur and to update laws for the cyber-crime age, lawmakers and analysts said.

TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on "various subsequent dates" that year. The company, which reported the intrusion in January -- a month after it said it discovered the breach -- has not said how many customers may have been affected or how many customers it has notified.

"We don't have a number for you there. Our work is not finished," spokeswoman Sherry Lang said yesterday. More than 50 computer experts are helping TJX investigate the breaches, she said.

Banks that issued the credit cards have not said how much they have had to cover in fraud-related losses.

More than 30 states have laws that require companies to notify customers as soon as possible when a breach has occurred, though most of the statutes let companies delay notification while law enforcement agencies investigate. A bipartisan group of senators has reintroduced legislation that would mandate customer notification and require companies that maintain personal information to establish internal policies to protect it.

"Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer, yet our privacy laws haven't kept pace," Sen. Patrick J. Leahy (D-Vt.) said in a statement when the legislation was reintroduced this month.

The credit card industry has set up rules for data protection called the Payment Card Industry Data Security Standard. They include encrypting transmission of cardholder data, regularly testing security systems and processes, and restricting access to data to those with a "need to know."

But most large retailers have not complied with the standard, and noncompliance is about 80 percent among smaller retailers, said Avivah Litan, an analyst with Gartner, an information technology research firm.

Litan said the retailers are not solely to blame. "It's a collective problem with collective responsibility," she said. "Certainly the retailers have to tighten up their systems, but the banks have to strengthen cardholder authentication so even if the data is stolen, it's useless."

Security breaches are difficult to quantify accurately. The Privacy Rights Clearinghouse, a nonprofit research and advocacy group in San Diego, said more than 100 million records of U.S. residents have been exposed by security breaches since February 2005.

The privacy group and the nonprofit Identity Theft Resource Center, also in San Diego, found that the majority of breaches they have tracked in the past few years occurred in government, the military and universities.

CONTINUED     1        >

© 2007 The Washington Post Company