The TJX Companies, a large retailer that owns T.K. Maxx in the UK said yesterday it suffered a massive computer breach on a portion of its network handling credit card, debit card, cheque and merchandise transactions in the US and abroad.
The US company, which operates over 2,000 retails outlets under brands such as Bob's Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, did not know the extent of the breach, which was first discovered in December. But transactions from T.K. Maxx in the UK and Ireland, along with other brands' customer data may have been exposed in the breach.
But hackers may have made off with credit and debit information from transactions in the US, Canada, and Puerto Rico in 2003 as well as transactions between May and December 2006, according to a company statement.
Banking officials say that the TJX breach is behind a recent warning by Visa to banks in Massachusetts, which have contacted customers in recent days and had to reissue thousands of ATM and debit cards. In the end, the hack may affect a wide range of credit card companies and thousands of consumers in the US, as well as the UK and Ireland, experts say.
TJX said it is working with suppliers IBM and General Dynamics to investigate the breach, which is believed to have occurred on computer systems that process and store information on customer transactions for a number of its brands.
TJX said it knows of "a limited number of credit card and debit card holders whose information was removed from the system," and has provided that information to credit card companies. TJX is also working with law enforcement, including the US Department of Justice, Secret Service, and Royal Canadian Mounted Police, TJX said in its statement.
The company said it does not yet have enough information to determine the extent of the breach or what other customer information may have been compromised, nor can it quantify the financial impact of the breach.
Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach. Those banks have had to reissue debit cards in response, said Bruce Spitzer, director of communications at the Massachusetts Bankers Association (MBA).
However, the MBA is still surveying its membership of 205 banks and credit unions. The effect of the TJX hack could be much wider and international in scope, he said.
Fitchburg Savings Bank in Fitchburg, Massachusetts has had to reissue 1,300 cards to customers whose account information was stolen said Linda Racine, an executive vice president at the bank.
Fitchburg Savings was contacted by Visa on Monday night about the compromised customer accounts. However, the credit card company would not reveal the identity of the retailer that was the source of the breach, citing company rules, Racine said.
Fitchburg savings has sent letters to customers and reissued cards for affected accounts. However, no Fitchburg Savings customers appear to have been victims of fraud so far, she said.
The TJX breach recalls other recent hacks, including BJ's wholesale club and another, reportedly at OfficeMax in 2005. Those breaches, as well as incidents like the hacking of card processor Card Systems, prompted the payment card industry to issue new rules, dubbed the PCI, about how sensitive data is stored and transmitted on internal systems.
However, Spitzer of the MBA said that banks still bore the brunt of security breaches at retailers because they have to pay to reissue cards to customers and absorb the financial losses from unauthorized account withdrawals. Small banks and credit unions often have trouble absorbing those costs, though they are not at fault in the breach itself, Spitzer said.
Spitzer took issue with the delay between the time TJX learned of the breach and when his organization and banks were notified as well as with Visa's policy of keeping the source of the breach a secret. "We would have liked to have known sooner," he said.