At least 45 million shoppers using credit and debit cards at TJ Maxx and Marshalls have had their card details stolen from hackers, over a period of 4 or more years. This is believed to be the largest breach of consumer information in history.
The theft was disclosed about two months ago, and the parent company of TJ Maxx and Marshalls (owners of over 2,500 discount stores) have released that figure of 45 million cards being compromised- and has even acknowledged the number could get even higher.
The disclosures made March 28th in a regulatory filing reveal that there were security holes that are common among many organizations that are trusted with private consumer data, such as credit card information. TJX failed to delete data from customer transactions promptly, and failed to guard secrets regarding how the data is protected with encryption.
In details provided by Deepak Taneja, a chief executive of a firm called Aveska, that advices companies about issues pertaining to information security, it was determine that TJX records did not indicate when information was deleted or who had access to what portions of information. There was also some question as to whether or not the information kept in these files was encrypted- so it’s hard to predict how large of an issue this case really is.
While it may not be known to the extent of damages this case will result in, it has reached as far as Sweden and Hong Kong, with banks reissuing credit cards to customers in the US as well as various other countries. The Massachusetts Bankers Association is tracking the fraud reports that are linked to the parent company of TJ Maxx stores across both North America and the United Kingdom.
As of now, the only arrests that have resulted from this case involve 10 people in Northern Florida who are suspected to have purchased customer data from TJX hackers in order to purchase Wal-Mart gift cards. The gift cards were used to buy $1 million in merchandise, including jewelry and electronics at Wal-Mart’s Sam’s Club stores, as reported by the Gainesville, Florida police.
TJX claims that about three-quarters of the 45 million plus stolen cards had expired when they were stolen, or if not expired- then the stolen information did not contain the security code data from the magnetic stripes on the backs of the credit cards. After the incident, TJX began encrypting the security code data by storing them as asterisks in the computer’s database rather than numbers, start in September of 2003.
TJX also claims that approximately 455,000 additional customers had data stolen as a result of the customers returning merchandise without receipts, and include the customer’s driver’s license numbers.
Before the TJX security breach case, the largest case tracked by the Privacy Rights Clearinghouse was through credit card processor, CardSystems in June of 2005- with over 40 million cardholders coming into attack. The TJX case is currently effecting about 46 million consumers.