TJX Breach Worse Than First Reported

Thu, February 22, 2007 — CIO —

According to The Boston Globe today, TJX Companies has stated that a data breach it revealed last month may have occurred a year earlier than investigators initially thought. The company operates the retail outlets T.J. Maxx, Marshalls and HomeGoods (2,500 stores in the United States), so the earlier date of the hacking may mean millions more customers were exposed. The company declined to give numbers, however.

TJX discovered the breach in December 2006, and it made news on Jan. 18, 2007. At that time the company reported that hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico from some months in 2003 as well as transactions between May and December 2006.

Yesterday, according to the Globe, TJX said a systems review revealed that intrusions had occurred as early as July 2005, not May 2006.

This trickle of data breaches spread over time led some experts to judge the corporation’s computer systems outdated, weak and not up to card-company security standards.

The TJX website has the words “Important Customer Alert” prominently displayed on its homepage. Clicking on it brings up a Feb. 21 letter from Carol Meyrowitz, president and CEO of TJX, which apologizes for the inconveniences, assures consumers the company is investigating the breach and that, “With the help of computer security experts, we have strengthened the security of our computer systems and we believe customers should feel safe shopping in our stores.” TJX Chairman Ben Cammarata had released a similar, if less contrite, letter on Jan. 29. (For a reaction, see David Rosenbaum’s blog.)

TJX stock fell only 2 percent yesterday after the company’s latest. As the Globe says, “A test for TJX now is whether shoppers will be turned off by the lack of details about the security breach, or simply dismiss the matter as an unavoidable shopping risk.” Many businesses will be watching the results of that test.

—Sandy Kendall

Related Links:

Comments

$firstKeyword

More from IT Drilldown « Back to Security

Articles

Gumblar Malware's Home Domain is Active Again

Developer Finds Major Coding Errors in Facebook, MySpace

Boston Celtics Clamp Down on Spam

Postini Technology to Spread Across Google Apps

Federal Data Protection Law Inches Forward

Microsoft Plans Six Patches Next Week, Ties November Record

Six Steps to Pull App Security Back to the Future

Blue Coat Slashes Staff, Buys S7 Services Company

Mobile Security ABCs

Get up to speed on mobile security.

Learn More »

Security Newsletter

Security MarketSpace

8 Tactics to Combat Vulnerabilities

This white paper reviews 8 key elements of vulnerability management and provides advice on combating known vs. unknown vulnerabilities. Learn more »

Email and Web Threats Require a Layered Defense

Learn how web threats are changing and how using a layered defense strategy can give you the security you need. Learn more »

The Case for Data Protection for SMBs

Take Fraudsters Out of the Game

Easily identify account-device relationships and get data for in-depth forensic analysis. Learn more »

Mobile Security Landscape

This paper examines the current mobile security landscape, including myths surrounding the risks and threats, and how organizations can establish a solid mobile security strategy. Learn more »

Reducing Energy Costs in Your Data Center

This white paper examines the most common roadblocks to improving data center efficiency. Learn more »

Security convergence equals network security cost savings

Security convergence equals network security cost savings Learn more »

IBM ISS X-Force Threat and Risk Report

Read this Trend and Risk report from IBM® ISS X-Force® to learn statistical information about all aspects of threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity. Learn more »