Feeds

TJX lost up to 45.6m card numbers

King of breaches

Providing a secure and efficient Helpdesk

TJX has taken the crown for presiding over the largest credit card heist ever, with a tally of 45.6m numbers lost to unknown thieves who intruded on the US-based retailing giant's networks over a span of 17 months. Personal information, often including social security numbers, for at least 451,000 was also lifted.

There's no reason to believe the theft stopped there. The intruders were able to conceal much of the contents they looted and in the regular course of business TJX administrators deleted many of the files believed stolen. Investigators may never know the true extent of the pilfering, TJX warned.

"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said in a filing (PDF) with the Securities and Exchange Commission.

Since January, when TJX first said it discovered a breach of sensitive customer data, the company's disclosures have been wanting for details. An update a month later did little to satisfy our need to know. The latest report is slightly improved, offering the following time line:

On December 18, the company initiated an investigation after discovering suspicious software on its network. In short order, IBM and General Dynamics were called in to assist in the probe, and on December 21 they determined there was good reason to believe there was indeed an intruder who remained on the computer network. The investigators devised a plan to contain and monitor the intrusion.

On December 22, TJX met with law enforcement officials to brief them on the intrusion. The law enforcement agencies included the US Secret Service, which asked TJX to withhold disclosure of the breach so its cover wouldn't be blown.

On December 27, the company for the first time determined that customer information was among the data stolen. TJX updated officials of banks and law enforcement of that finding on January 3. Investigators discovered yet more burgled customer details 10 days later.

On January 17, TJX first notified the public, and a day later it learned the intrusion began much earlier than previously believed. The company now says its network was probably breached from July, 2005 to December, 2006. The servers were located in the US and the UK.

At risk are credit and debit card numbers for customers of TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US and Puerto Rico, customers of Winners and HomeSense stores in Canada and customers of TK Maxx stores in the UK.

To the credit of TJX, the company said customer names and addresses were not included with payment card data lifted from the US network. TJX's US operation often didn't store "Track 2" data from the a card's magnetic stripe for transactions after September 2003. And by April 3 of last year, the company had started masking payment card PINs and other portions of payment card transactions. This was a great first step but begs the question why the retailer didn't do more to protect its customers.

Individuals suspected of using payment card information stolen from TJX were arrested last week in Florida.

Following yesterday's disclosure, the TJX debacle became the largest known theft of credit card data, topping the previous record held by CardSystems Solutions of 40 million records compromised in 2005, ComputerWorld reported. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.