In the first detailed report of a major security breach, TJX Cos. said information from 45.7 million credit and debit cards had been stolen by computer hackers beginning in July 2005.
The thieves, who gained entry to the off-price retailer’s customer payment databases, also might have had access to the company’s de-encryption software, according to a regulatory filing with the Securities and Exchange Commission made after business hours on Wednesday.
In addition, about 450,000 customers who returned merchandise without receipts may have had detailed personal information stolen, including addresses as well as Social Security and driver’s license numbers.
TJX, which owns TJ Maxx, Marshalls and other retailers, said that stored data from “approximately half to substantially all the transactions at the U.S., Puerto Rican and Canadian stores” during an 18-month period from late 2002 until mid-2004 had been compromised.
Because of the technology used by the intruders, the company might never be able to discover the extent and specifics of the losses, said Sherry Lang, vice president of investor relations.
Seventy-five percent of the affected cards were either expired or had their “Track 2″ data, the information contained on the magnetic strip on the back of credit and debit cards, masked, Lang said. Masking is a security process in which asterisks are swapped for numbers.
The data breach, which sparked a Federal Trade Commission investigation, has not affected sales of the Framingham, Mass.-based company, Lang said.
“We’ve done a lot of communicating,” she said. “We’re fielding tens of thousands of customer calls….We have deployed enormous resources, both human and financial, to investigate and further strengthen our systems and we want our customers to know that it is safe to shop our stores.”
TJX, which operates 2,466 stores and recorded $17.4 billion in sales last year, faces a barrage of class-action lawsuits filed by customers and shareholders in the U.S. and Canada. The company also is being investigated by the Massachusetts Attorney General, in conjunction with 30 other states, for a delay in notifying banks, card processors and customers of the security breach. TJX said it was informed by card issuers of some fraudulent use, but had not been given specifics on the scope.
Six people were arrested in Florida last week for allegedly using card numbers believed to have been stolen from TJX and are said to have purchased about $1 million in products with gift cards.
The case is believed to represent the biggest retail data theft ever, and the timing of the company’s initial disclosure has been one of the most controversial aspects.
TJX first became aware of suspicious software installed on corporate systems on Dec. 18. The next day, the company hired IBM and General Dynamics Corp. to investigate. TJX notified the Secret Service and other law enforcement agencies on Dec. 22, and banks and payment card and check processing firms on Dec. 26 and 27.
However, the company waited until Jan. 17 to make a public announcement about the security breach, leading to criticism that the retailer had put holiday sales ahead of its responsibilities to financial institutions and customers. TJX said it was advised by law enforcement officials that an immediate announcement could compromise the investigation.