In the first detailed report of a major security breach, TJX Cos. said information from 45.7 million credit and debit cards had been stolen by computer hackers beginning in July 2005.
The thieves, who gained entry to the off-price retailer's customer payment databases, also might have had access to the company's de-encryption software, according to a regulatory filing with the Securities and Exchange Commission made after business hours on Wednesday.
In addition, about 450,000 customers who returned merchandise without receipts may have had detailed personal information stolen, including addresses as well as Social Security and driver's license numbers.
TJX, which owns TJ Maxx, Marshalls and other retailers, said that stored data from "approximately half to substantially all the transactions at the U.S., Puerto Rican and Canadian stores" during an 18-month period from late 2002 until mid-2004 had been compromised.
Because of the technology used by the intruders, the company might never be able to discover the extent and specifics of the losses, said Sherry Lang, vice president of investor relations.
Seventy-five percent of the affected cards were either expired or had their "Track 2" data, the information contained on the magnetic strip on the back of credit and debit cards, masked, Lang said. Masking is a security process in which asterisks are swapped for numbers.
The data breach, which sparked a Federal Trade Commission investigation, has not affected sales of the Framingham, Mass.-based company, Lang said.
"We've done a lot of communicating," she said. "We're fielding tens of thousands of customer calls….We have deployed enormous resources, both human and financial, to investigate and further strengthen our systems and we want our customers to know that it is safe to shop our stores."
TJX, which operates 2,466 stores and recorded $17.4 billion in sales last year, faces a barrage of class-action lawsuits filed by customers and shareholders in the U.S. and Canada. The company also is being investigated by the Massachusetts Attorney General, in conjunction with 30 other states, for a delay in notifying banks, card processors and customers of the security breach. TJX said it was informed by card issuers of some fraudulent use, but had not been given specifics on the scope.Six people were arrested in Florida last week for allegedly using card numbers believed to have been stolen from TJX and are said to have purchased about $1 million in products with gift cards.
The case is believed to represent the biggest retail data theft ever, and the timing of the company's initial disclosure has been one of the most controversial aspects.
TJX first became aware of suspicious software installed on corporate systems on Dec. 18. The next day, the company hired IBM and General Dynamics Corp. to investigate. TJX notified the Secret Service and other law enforcement agencies on Dec. 22, and banks and payment card and check processing firms on Dec. 26 and 27.
However, the company waited until Jan. 17 to make a public announcement about the security breach, leading to criticism that the retailer had put holiday sales ahead of its responsibilities to financial institutions and customers. TJX said it was advised by law enforcement officials that an immediate announcement could compromise the investigation.
@kith is moving into children’s. The men’s and women’s streetwear brand has launched Kidset, a Kith kids line located in New York at 64 Bleecker Street. The line includes mini versions of staple Kith pieces like the Astor bomber jacket and the Kith box logo sweatshirts, along with a wall that can display up to 120 pairs of shoes from @adidas, @newbalance, @timberland and more. #wwdfashion
“I just wanted to create this fully rounded character, but I do think what excited me most was just the opportunity to give a group of people representation that I feel needs it. I like to do characters in projects that stand for something and Karolina definitely does, so that was really exciting to me,” @ginnygardner says of her new role in @hulu’s “The Runaways.” Gardner plays Karolina Dean, a queer superhero, which is a rarity for @marvel. Read more about Gardner’s character on WWD.com #wwdeye (📷: @dandoperalski)
@heriethpaul and @gracebol have a moment on the @victoriassecret fashion show 2017. See every look from the runway on WWD.com. Link in bio. (📷: @giovanni_giannoni_photo) #wwdfashion #victoriassecret #VSFashionShow
“Azzedine has been one of the biggest influences in my life. He has always been such a strong, loving, fatherly figure to me. I call him Papa. His designs are indescribably unique, they are pieces of art. He knew how to make the female form look its loveliest. I have so many memories of him; my favorite might be during my first show with him in Paris. He liked me and he wanted to help me get more work. He called all his friends at Kenzo and Comme des Garcons, and asked them to book me. They said, ‘But she can’t walk!’ And he said, ‘but she has such a great ass!' His friendship and support has been the great privilege of my career. I can't imagine life without him. Repose en paix mon Papa.” - @stephanieseymour tells @wwd. #wwdfashion (📷: @steveeichner) #alaia #azzedinealaia
Azzedine Alaïa, flanked by two of his closest friends, models Stephanie Seymour and Naomi Campbell.
He designed Seymour’s dress for her 1995 wedding to Peter Brant, and treated Campbell (who famously called him Papa), like a daughter. For more on the legendary designer, tap the link in bio. #wwdfashion #alaia #azzedinealaia