Data Theft Grows To Biggest Ever

Banks, too, have reported fraudulent transactions linked to the stolen TJX data, said Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, which expects all 209 of its bank members to have to cover costs of fraud associated with the breach. Banks are "very angry" at TJX for not investing in security, Spitzer said.

Since January, when TJX disclosed the breach, it has been the target of class-action lawsuits by shoppers in Massachusetts Alabama, California, Canada and Puerto Rico. "They're obviously not happy," attorney Jon J. Lambiras said of his clients in Massachusetts. "They're very concerned that they're at risk for identify theft."

Robert Mann of Massachusetts used his debit card to shop at several TJX stores in December, according to a written complaint. A month later, after a failed attempt to use his debit card, he checked his account online and realized 110 fraudulent transactions had been made or attempted on his card from Jan. 24-27, including charges in foreign countries. Mann said he had to take two unpaid days off work to investigate.

Sandra Fuller of Amarillo, Tex., was alerted by her local bank that her debit card had possibly been misused. Two charges were made in California in February while Fuller was in Texas: $407.42 at a Wal-Mart and $13.50 at Exxon, according to the complaint.

Other plaintiffs are worried their Social Security numbers were compromised because they were the same as their drivers' license numbers, which were stolen. Some had tied automatic bill payments to their bank accounts and were penalized when companies were unable to withdraw money, according to the complaint.

TJX is cooperating with a federal criminal investigation. State and federal authorities are also looking into whether TJX violated consumer-protection laws.

TJX spokeswoman Sherry Lang suggested that TJX was simply the most visible example of a widespread trend. "Breaches go on all the time that never get detected and never get reported," she said. "I think we have been victimized here along with our customers."

According to the filing, TJX discovered suspicious software on its computers Dec. 18 and began an investigation. Three days later, the company concluded that a breach had probably occurred and that the intruder was still on the system. The next day, it notified federal investigators. On Dec. 27, the firm learned that customer data had been stolen, and it notified banks and check-processing companies. On Jan. 17, TJX announced the intrusion but did not say how much data was taken.

Based on the firm's investigation, the intrusion occurred in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. No customer data was stolen after Dec. 18, 2006.

Three-quarters of the cards were expired or contained magnetic strip data that was masked or stored as asterisks rather than numbers at the time the information was stolen. The firm stored data, some of which dated to 2003 transactions. Expired cards can still be at risk because they are often renewed with the same numbers, and the TJX filing said the hackers' technology could have penetrated masked data.

The thieves stole data from the firm's computer systems in Framingham, where transactions are processed for customers in the United States, Puerto Rico and Canada. They also took data from systems in Watford, England.

The firm's share price closed up 1.3 percent yesterday, at $26.85.

Security and privacy experts said TJX is the most glaring example of a spreading trend in industry and government. A soon-to-be-released study by the Ponemon Institute, a privacy research organization, of 649 companies and government agency information security personnel found that 61 percent thought their organizations were ill-equipped to respond to hacker threats, said Larry Ponemon, institute chairman.

Staff researcher Richard Drezen contributed to this report.