A security breach at retailer TJX Companies last month already has resulted in violations of numerous credit card customers' accounts and the cancellation and reissue of cards by as many as ten different banks.
The breach, which occurred in mid-December but was not reported until yesterday, affects customers of TJX's retail stores, including TJ Maxx, Marshalls, HomeGoods, and A.J. Wright. The stolen data dates back to 2003, possibly exposing personal information of millions of customers.
As many as ten banks report that they have seen customer accounts raided in Massachusetts alone. Fitchburg Savings Bank, a small Massachusetts bank, deactivated 1,300 debit-ATM cards on Tuesday after being informed of the breach by Visa USA.
"What's surprising about this particular breach is how quickly the information is being used," says David Taylor, vice president of data security strategies at Protegrity, a data security management company. "Customers only found out about it yesterday, but there have been a number of thefts already reported."
TJX said the data was stolen from a network that handles a wide range of financial information, including credit cards, debit cards linked to checking accounts, and transactions for returned merchandise. The company provided no information on how the breach occurred, but its statement to customers says the data was "removed," causing some experts to suggest a software intrusion.
TJX, based in Framingham, Mass., has reported the intrusion to law enforcement agencies in the U.S. and Canada, but says "the full extent of the theft and affected customers is not known." The company has hired IBM and General Dynamics to help investigate the origin and extent of the breach. It also has set up toll-free numbers for customers who may have concerns regarding the breach. U.S.-based customers can call 866-484-6978. The number for customers in Canada is 866-903-1408, while those in the U.K. and Ireland can call 0800-77-90-15.
Officials at Visa say the credit card company is "risk scoring" all transactions in real-time to help financial institutions identify fraudulent transactions that might result from the breach.
A report in today's Wall Street Journal suggests that the number of exposed cards could exceed the 40 million that were lost following a break-in at CardSystems Solutions two years ago, resulting in the demise of the payment systems processing firm. But Taylor says that as a retailer, TJX would handle many fewer credit cards than a transaction processing firm like CardSystems does.
"I'd be very surprised if [the attackers] got into more than a few million accounts," Taylor says.
Still, the effects of the breach could be devastating for TJX. Experts say that after informing customers of such a breach, some companies have lost as many as 30 percent of their online customers.
The breach also puts a spear point on complaints from credit card companies such as Visa and MasterCard, which last year registered concern that only a fraction of merchants had fully complied with the Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS outlines requirements for the handling and storage of credit card information. (See Retailers Lag on Security Standard.)
Last month, Visa promised to offer some $20 million in incentives to encourage merchants to implement the credit card security standards. (See Visa Vows $20M for PCI Incentives.) Recent rumors also indicate that Visa also has stepped up its enforcement of fines for non-compliance, levying penalties as high as $50,000 per month. Visa officials could not be reached in time for this posting.
Tim Wilson, Site Editor, Dark Reading