Compliance Management

TJX breach more severe than originally thought, says retailer

Hackers infiltrated network systems at TJX Companies -- potentially accessing the personal details of millions of shoppers -- for a longer period than the discount clothing retailer initially thought.

The Framingham, Mass.-based TJX, parent of T.J. Maxx and Marshalls, said investigators have determined the company’s network was actually breached in July 2005 and later that year, according to a statement released Wednesday. When the company reported the breach last month, it believed intrusions only occurred from May to December 2006.

In addition, the company said credit and debit card transactions completed between January 2003 and June 2004 at its U.S., Puerto Rican and Canadian outlets were compromised. TJX previously reported that the data was "potentially" accessed.

The company also said it has discovered evidence that the portion of its network that processes T.K. Maxx transactions may have also been hacked. T.K. Maxx stores are located in the U.K. and Ireland.

While some criticized TJX for failing to initially report the extent of the breach, customers should give the company a pass, said Miriam Wugmeister, head of the privacy and data security practice at Morrison and Foerster law firm in New York.

"It can be very difficult for organizations to quickly assess how much information has been compromised," she told SCMagazine.com today. "Sometimes, accurate information is equally important."

TJX still has not revealed how many customers have been affected, although industry experts suspect millions could be impacted.

"With the help of computer security experts, we have strengthened the security of our computer systems, and we believe customers should feel safe shopping our stores," Carol Meyrowitz, the company’s president and CEO, said Wednesday in a letter to customers. "We value the trust our customers place in us and again, I’d like you to know that we sincerely apologize for any difficulties you may have experienced."

The announcement comes as Massachusetts state representative introduced a first-of-its-kind bill that would force retailers such as TJX to compensate victims for losses when hackers breach their systems and steal private data.

As it stands now, in Massachusetts and in other states, banks are left covering the fraudulent losses. This bill would mandate that organizations doing business in Massachusetts take financial accountability for freezing credit card accounts.

TJX operates 821 T.J. Maxx outlets and 748 Marshalls stores and also owns HomeGoods, A.J. Wright and Bob’s Stores in the United States.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.