Feeds

TJX lost up to 45.6m card numbers

King of breaches

Build a business case: developing custom apps

TJX has taken the crown for presiding over the largest credit card heist ever, with a tally of 45.6m numbers lost to unknown thieves who intruded on the US-based retailing giant's networks over a span of 17 months. Personal information, often including social security numbers, for at least 451,000 was also lifted.

There's no reason to believe the theft stopped there. The intruders were able to conceal much of the contents they looted and in the regular course of business TJX administrators deleted many of the files believed stolen. Investigators may never know the true extent of the pilfering, TJX warned.

"Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said in a filing (PDF) with the Securities and Exchange Commission.

Since January, when TJX first said it discovered a breach of sensitive customer data, the company's disclosures have been wanting for details. An update a month later did little to satisfy our need to know. The latest report is slightly improved, offering the following time line:

On December 18, the company initiated an investigation after discovering suspicious software on its network. In short order, IBM and General Dynamics were called in to assist in the probe, and on December 21 they determined there was good reason to believe there was indeed an intruder who remained on the computer network. The investigators devised a plan to contain and monitor the intrusion.

On December 22, TJX met with law enforcement officials to brief them on the intrusion. The law enforcement agencies included the US Secret Service, which asked TJX to withhold disclosure of the breach so its cover wouldn't be blown.

On December 27, the company for the first time determined that customer information was among the data stolen. TJX updated officials of banks and law enforcement of that finding on January 3. Investigators discovered yet more burgled customer details 10 days later.

On January 17, TJX first notified the public, and a day later it learned the intrusion began much earlier than previously believed. The company now says its network was probably breached from July, 2005 to December, 2006. The servers were located in the US and the UK.

At risk are credit and debit card numbers for customers of TJ Maxx, Marshalls, HomeGoods and AJ Wright stores in the US and Puerto Rico, customers of Winners and HomeSense stores in Canada and customers of TK Maxx stores in the UK.

To the credit of TJX, the company said customer names and addresses were not included with payment card data lifted from the US network. TJX's US operation often didn't store "Track 2" data from the a card's magnetic stripe for transactions after September 2003. And by April 3 of last year, the company had started masking payment card PINs and other portions of payment card transactions. This was a great first step but begs the question why the retailer didn't do more to protect its customers.

Individuals suspected of using payment card information stolen from TJX were arrested last week in Florida.

Following yesterday's disclosure, the TJX debacle became the largest known theft of credit card data, topping the previous record held by CardSystems Solutions of 40 million records compromised in 2005, ComputerWorld reported. ®

Next gen security for virtualised datacentres

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?