Hackers target TK Maxx customers

Hackers have stolen information from at least 45.7 million credit card holders of the US retailer TJX, which owns TJ Maxx and UK outlet TKMaxx.

Experts in the US called it the largest data breach ever, saying it could spur legal action and increased scrutiny of corporate data management.

The Intruders illegally accessed the discount retailer's processing systems during 2005 and 2006 and also made off with 451,000 pieces of personal information, such as driver’s license numbers, from customers who returned items without a receipt, the company said.

The number of records exposed since the watershed in February 2005 Choice Point breach jumped nearly 50 per cent, surpassing 150 million, according to the San Diego-based Privacy Rights Clearinghouse, that tracks all reported breaches.

In the case of TJX, which reported the breach in January, roughly three-quarters of the cards that had their information stolen either had their magnetic strip data masked or were attached to credit numbers that had expired, according to a regulatory filing. But the company, which operates some 2,500 stores, said that hackers may have used decryption tools.

The company is having difficulty pinning down exactly how much private information was stolen because it routinely deleted records between the time the intruders hacked in and the time TJX became aware of the crime.

TJX spokeswoman Sherry Lang told SCMagazine.com today that the number of files stolen could be much more.

Cliff Pollan, CEO of data auditing firm Lumigent, told SCMagazine.com today that while corporations may never be able to fully defend against a breach, they can have solutions in place to better investigate events if it does happen.

"You need to instrument all your database assets so you can sense when something happens," he said. "If you do put strong controls in place, it will help to prevent this or if something does happen – and not all things are preventable – you’ll identify it quickly and mitigate the risk. As soon as people know the database is being watched, they tend to go somewhere else."

Experts agreed the public seems to be getting immune to stories on data breaches, but this one could spell problems for TJX.

"When you have a data breach that involves 45 million or more records, it’s in its own sphere," said Larry Ponemon, founder and chairman of the Ponemon Institute. "But despite that, we believe the true cost of a breach will result in the loss of customer trust and goodwill. This is going to stick in the memory of the public for a long time."

Since the breach, Lang said TJX has earmarked "enormous" financial and human resources toward computer security.

"We believe it's absolutely safe to shop our stores," she said. "We have not seen any effect on our sales and we're very appreciative of our customers' patronage."

TJX said that it is continuing the investigation and does not know how many people were responsible for the break-in.

Sign up to our newsletters