Network of T.J. Maxx, Marshalls parent company hacked, unknown amount of customer credit card information stolen


A major clothing retailer announced Wednesday that hackers accessed its network and stole an unknown amount of credit card information.

TJX Companies, a Framingham, Mass.-based discount apparel and home fashions department store chain that includes T.J. Maxx and Marshalls stores, said in a statement that the extent of the breach remains unknown, although thieves may have been silently pilfering private data for up to three years before their actions were detected in December.

Potentially millions of customers may be impacted, experts said.

"It's yet another example of how attackers have gone pro and really focused on the data," Ted Julian, vice president of marketing and strategy at New York-based data security firm AppSecInc, told today.

The breach affects credit card, debit card, check and merchandise return transactions for customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright stores in the United States and Puerto Rico and Winners and HomeSense stores in Canada.

The incident also may affect customers of Bob's Stores in the United States and T.K. Maxx in the United Kingdom and Ireland.

The company, which has 2,500 storefronts, would not say exactly how many customers are possibly affected.

Ben Cammarata, chairman and acting CEO of TJX, suggested in the statement that customers should monitor their credit card records for unauthorized transactions.

"We are deeply concerned about this event and the difficulties it may cause our customers," he said. "We want to assure our customers that this issue has the highest priority at TJX."

Visa is contacting affected financial institutions to inform them that the cards they issued are involved in the breach, Rosetta Jones, vice president of Visa USA, said today in a statement. She added that all major credit cards accepted by TJX were impacted by the incident.

"Visa is risk scoring all transactions in real-time, helping card issuers better distinguish fraudulent transactions from legitimate ones," Jones said.

Visa has already contacted about 10 banks in Massachusetts, said Bruce Spitzer, a spokesman for the Massachusetts Banking Association, told today. That number is expected to significantly rise today as the association, which represents 205 banks in the state, surveys its members, Spitzer said.

He said the incident concerns his organization because banks likely will be left absorbing the costs of fraudulent activity and re-issuing credit cards.

"If a retailer has a data breach because they're sloppy, why does the bank have to absorb all the costs?" Spitzer said. "It could potentially be a very big hit."

TJX has hired several network security providers to determine what personal information was compromised and to implement new safeguards, according to the statement.

"With the help of leading computer security experts, TJX has significantly strengthened the security of its computer systems," the statement said, providing no specific details. "While no computer security can completely guarantee the safety of data, these experts have confirmed that the containment plan adopted by TJX is appropriate to prevent future intrusions and to protect the safety of credit card, debit card and other customer transactions in its stores."

Julian would not speculate on what security measures may have been lacking, but he said encryption and activity monitoring solutions could help safeguard companies in this era of silent, targeted attacks. "People are after your data," he said. "They're much more resourceful. They're much more devious in how they go about it, and the stakes are getting even higher."

TJX is working with law enforcement authorities and credit card providers in an investigation.

Julian said it will be interesting to learn whether TJX was in full compliance with the Payment Card Industry (PCI) standard, which consists of 12 guidelines to protect customer information.

The fact that TJX reported the breach suggests the data was not encrypted, one of the requirements of PCI.

"It's essential for all businesses that handle payment card information adhere to the highest data protection standards for the security and privacy of their customers' financial information," Jones said.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.