In the first detailed report of a major security breach, TJX Cos. said information from 45.7 million credit and debit cards had been stolen by computer hackers beginning in July 2005.
The thieves, who gained entry to the off-price retailer's customer payment databases, also might have had access to the company's de-encryption software, according to a regulatory filing with the Securities and Exchange Commission made after business hours on Wednesday.
In addition, about 450,000 customers who returned merchandise without receipts may have had detailed personal information stolen, including addresses as well as Social Security and driver's license numbers.
TJX, which owns TJ Maxx, Marshalls and other retailers, said that stored data from "approximately half to substantially all the transactions at the U.S., Puerto Rican and Canadian stores" during an 18-month period from late 2002 until mid-2004 had been compromised.
Because of the technology used by the intruders, the company might never be able to discover the extent and specifics of the losses, said Sherry Lang, vice president of investor relations.
Seventy-five percent of the affected cards were either expired or had their "Track 2" data, the information contained on the magnetic strip on the back of credit and debit cards, masked, Lang said. Masking is a security process in which asterisks are swapped for numbers.
The data breach, which sparked a Federal Trade Commission investigation, has not affected sales of the Framingham, Mass.-based company, Lang said.
"We've done a lot of communicating," she said. "We're fielding tens of thousands of customer calls….We have deployed enormous resources, both human and financial, to investigate and further strengthen our systems and we want our customers to know that it is safe to shop our stores."
TJX, which operates 2,466 stores and recorded $17.4 billion in sales last year, faces a barrage of class-action lawsuits filed by customers and shareholders in the U.S. and Canada. The company also is being investigated by the Massachusetts Attorney General, in conjunction with 30 other states, for a delay in notifying banks, card processors and customers of the security breach. TJX said it was informed by card issuers of some fraudulent use, but had not been given specifics on the scope.Six people were arrested in Florida last week for allegedly using card numbers believed to have been stolen from TJX and are said to have purchased about $1 million in products with gift cards.
The case is believed to represent the biggest retail data theft ever, and the timing of the company's initial disclosure has been one of the most controversial aspects.
TJX first became aware of suspicious software installed on corporate systems on Dec. 18. The next day, the company hired IBM and General Dynamics Corp. to investigate. TJX notified the Secret Service and other law enforcement agencies on Dec. 22, and banks and payment card and check processing firms on Dec. 26 and 27.
However, the company waited until Jan. 17 to make a public announcement about the security breach, leading to criticism that the retailer had put holiday sales ahead of its responsibilities to financial institutions and customers. TJX said it was advised by law enforcement officials that an immediate announcement could compromise the investigation.
“My personal philosophy to beauty is paying attention to oneself. I love to be outdoors, lots of fresh air, trying to take care of yourself as best you can. I always notice that comes through,” says Felicity Jones, the global face of @shiseido-owned @cledepeaubeauteus, which launches today. Head to WWD.com to read more about the actress’ love for beauty and how she prepared for her new role in “The Basis of Sex,” playing the young Ruth Bader Ginsburg. #wwdbeauty (📷: @dandoperalski)
For men’s fall 2018, @giuseppezanotti drew on elements from streetwear, sport, biker, combat and rock ‘n’ roll. Pictured here are a pair of shoes from the collection, featuring zippers, rhinestones, and silver hardware. Head to WWD.com to see a roundup of the accessories from Milan’s men’s fall 2018 shows. #wwdfashion (📷: Andrea Delb)
To celebrate the 25th anniversary of @ralphlauren’s snowboarding collection, the brand is mining its archives. The iconic brand is reintroducing vintage styles and dropping new designs for a color capsule that will be available in Ralph Lauren stores and @openingceremony on January 25. The capsule will consist of 10 pieces, including the Snow Beach Pullover, pictured here, which is a collector’s item that rapper Raekwon wore in Wu-Tang Clan’s “Can It Be All So Simple” video. #wwdfashion (📷: Tom Gould)
For @rochasofficial’s pre-fall 2018 collection, creative director Alessandro Dell’Acqua channeled the sophisticated and intriguing Catherine Denevue in the film “Belle de Jour.” Polished collarless coats, midi skirts, suits and ’60s graphic motifs were all featured in the collection, adding a sense of discreet luxury. See the rest of the photos on WWD.com #wwdfashion
“We tried to produce clothing of that couture quality, but the most daunting part was that we only had a matter of days [to do it],” said costume designer Lou Eyrich, who recreated Gianni Versace’s iconic looks for @americancrimestoryfx. Eyrich searched online retailers and vintage shops for original pieces from the design house and for @penelopecruzoficial, who plays Donatella Versace. Head to WWD.com to read how she created the Versace world. #wwdfashion
Only three months after her stellar debut catwalk season, @kaiagerber has inked her first big design collaboration –– with @karllagerfeld. The collection blends Lagerfeld’s Parisian chic aesthetic and the model’s signature West Coast casual style via RTW, accessories, footwear and more. The #KarlLagerfeldxKaia collection will launch in September with a series of events. Get all the details on WWD.com. #wwdnews #wwdfashion
Harrods plans to remove the famous statue of Princess Diana and Dodi Al Fayed from the bottom of the Egyptian escalators and hand it back to Mohamed Al-Fayed. “We are very proud to have played our role in celebrating the lives of Diana, Princess of Wales and Dodi Al Fayed at Harrods and to have welcomed people from around the world to visit the memorial for the past 20 years,” said Michael Ward, Harrods managing director. “With the announcement of the new official memorial statue to Diana, Princess of Wales at Kensington Palace, we feel that the time is right to return this memorial to Mr. Al Fayed and for the public to be invited to pay their respects at the palace.” More on the news, with reporting by @loreleimarfil, at WWD.com. #wwdnews