TJX Companies revealed late Wednesday in a regulatory filing that hackers stole data from at least 45.7 million credit card holders when they illegally accessed the discount retailer's processing systems during 2005 and 2006. Experts today called it the largest data breach ever, saying it could spur federal disclosure legislation and increased scrutiny of corporate data management.
Intruders also made off with 451,000 pieces of personal information, such as driver’s license numbers, from customers who returned items without a receipt, the Framingham, Mass.-based company said in the filing with the Securities and Exchange Commission.
With one fell swoop, the number of records exposed since the watershed February 2005 Choice Point breach jumped nearly 50 percent, surpassing 150 million, according to the San Diego-based Privacy Rights Clearinghouse, a non-profit that tracks all reported breaches. The TJX incident now one-ups payment processing firm Card Systems, which lost 40 million records in a June 2005 hack.
In the case of TJX, which reported the breach in January, roughly three-quarters of the cards that had their information stolen either had their magnetic strip data masked or were attached to credit numbers that had expired, according to the filing. But the company, which operates some 2,500 stores, said in the filing that hackers may have used decryption tools.
The company is having difficulty pinning down exactly how much private information was stolen because it routinely deleted records between the time the intruders hacked in and the time TJX became aware of the crime, the filing said. In addition, the intruder used technology that "made it impossible for us to determine the contents of most files we believe were stolen in 2005," according to the filing.
TJX spokeswoman Sherry Lang told SCMagazine.com today that the number of files stolen could be much more.
Liz Gasster, acting executive director and general counsel of the Cyber Security Industry Alliance, said a monstrous number like 45 million may catch the eyes and ears of federal lawmakers. She hopes it will spur Congress to enact a federal breach notification and data security standards bill to eliminate the "hodgepodge" of state regulations.
"I think if there was ever a mandate for [Congress] to act, it’s now," she told SCMagazine.com. "This really underscores that best practices aren’t being followed."
TJX has said credit and debit card transactions completed between January 2003 and June 2004 at its U.S., Puerto Rican and Canadian outlets were compromised in the attack. Last month, the company said investigators determined its network was breached in July 2005 and later that year. When the company first reported the breach in January, it believed intrusions were confined to May to December 2006.
Cliff Pollan, CEO of data auditing firm Lumigent, told SCMagazine.com today that while corporations may never be able to fully defend against a breach, they can have solutions in place to better investigate events if it does happen.
"You need to instrument all your database assets so you can sense when something happens," he said. "If you do put strong controls in place, it will help to prevent this or if something does happen – and not all things are preventable – you’ll identify it quickly and mitigate the risk. As soon as people know the database is being watched, they tend to go somewhere else."
Toby Weiss, president and CEO of Application Security Inc., told SCMagazine.com that organizations must deploy tools for the entire vulnerability lifecycle so they can monitor, prioritize and fix holes in their systems.
Experts agreed the public seems to be getting immune to stories on data breaches, but this one might be different and could spell problems for TJX, which owns Marshall’s and T.J. Maxx, among other discount outlets.
"When you have a data breach that involves 45 million or more records, it’s in its own sphere," said Larry Ponemon, founder and chairman of the Ponemon Institute, which conducted a study last year on the cost of a data breach to an organization. "But despite that, we believe the true cost of a data breach will result in the loss of customer trust and goodwill. This is going to stick in the memory of the public for a long time."
Since the breach, Lang said TJX has earmarked "enormous" financial and human resources toward computer security.
"We believe it's absolutely safe to shop our stores," she said. "We have not seen any effect on our sales and we're very appreciative of our customers' patronage."
Meanwhile, reports are tricking in of people using the stolen credit card numbers for fradulent activity. Lang said police have informed the company of other similar incidents, but she would not elaborate.
TJX said in the filing that it is continuing the investigation and does not know how many people were responsible for the break-in.
Click here to email reporter Dan Kaplan.
Looking for a new job? SCMagazine.com has the latest IT security employment opportunities. Click here for our Jobs page.
