In the first detailed report of a major security breach, TJX Cos. said information from 45.7 million credit and debit cards had been stolen by computer hackers beginning in July 2005.
The thieves, who gained entry to the off-price retailer's customer payment databases, also might have had access to the company's de-encryption software, according to a regulatory filing with the Securities and Exchange Commission made after business hours on Wednesday.
In addition, about 450,000 customers who returned merchandise without receipts may have had detailed personal information stolen, including addresses as well as Social Security and driver's license numbers.
TJX, which owns TJ Maxx, Marshalls and other retailers, said that stored data from "approximately half to substantially all the transactions at the U.S., Puerto Rican and Canadian stores" during an 18-month period from late 2002 until mid-2004 had been compromised.
Because of the technology used by the intruders, the company might never be able to discover the extent and specifics of the losses, said Sherry Lang, vice president of investor relations.
Seventy-five percent of the affected cards were either expired or had their "Track 2" data, the information contained on the magnetic strip on the back of credit and debit cards, masked, Lang said. Masking is a security process in which asterisks are swapped for numbers.
The data breach, which sparked a Federal Trade Commission investigation, has not affected sales of the Framingham, Mass.-based company, Lang said.
"We've done a lot of communicating," she said. "We're fielding tens of thousands of customer calls….We have deployed enormous resources, both human and financial, to investigate and further strengthen our systems and we want our customers to know that it is safe to shop our stores."
TJX, which operates 2,466 stores and recorded $17.4 billion in sales last year, faces a barrage of class-action lawsuits filed by customers and shareholders in the U.S. and Canada. The company also is being investigated by the Massachusetts Attorney General, in conjunction with 30 other states, for a delay in notifying banks, card processors and customers of the security breach. TJX said it was informed by card issuers of some fraudulent use, but had not been given specifics on the scope.
Hermès is launching a Laundromat pop-up shop in NYC - dubbed Hermèsmatic - where customers can bring their old scarves to be dip-dyed by an expert. Get all the details on WWD.com. #wwdnews (📷: @donstahl)