20070117-TJX

01/17/2007 TJ stores (TJX)

Includes TJMaxx, Marshalls, Winners, HomeSense, AJWright, KMaxx, and possibly Bob’s Stores in U.S. & Puerto Rico — Winners and HomeGoods stores in Canada — and possibly TJMaxx stores in UK and Ireland

a retail business headquartered in Framingham, Massachusetts
100,000,000 financial accounts compromised
(TJX reported 45.7M, but multiple sources below cite different, and higher, numbers)

The TJX Companies include TJMaxx, Marshalls, Winners, HomeSense, AJWright, KMaxx, Bob’s Stores, Winners and HomeGoods. There was an intrusion mid-December 2006 that may have exposed transaction data from 2003 and -May through December of 2006.
 
Initial estimates of the compromised information were 45,700,000 charge card account numbers (including both debit and credit) and 455,000 merchandise return records containing customer names and driver’s license numbers.
 
In 2007 the ballpark cost for a large scale data breach is between $100 and $182 per compromised consumer. Initially the reported number of compromised cards was 45 million. That was estimated was raised to 94 million in October 2010 during criminal prosecution. This puts the estimated cost to TJX to $9.4B at $100/card or $17.1B at $182/card.
 
UPDATE (2/22/2007):TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on various subsequent dates that year.

UPDATE (3/21/2007): Information stolen from TJX’s systems was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.

UPDATE (3/29/2007): The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked, along with 455,000 merchandise return records containing customers’ driver’s license numbers, Military ID numbers or Social Security numbers.

UPDATE (4/22/2007): Initially, TJX said the break-in started seven months before it was discovered. Then, on February 18, the company noted the perpetrators had access to data for 17 months, and apparently began in July 2005.

UPDATE (04/26/2007): Three states’ banking associations (MA, CT, and ME) filed a class action lawsuit against TJX to recover the costs of damages totaling tens of millions of dollars incurred for replacing customers’ debit and credit cards.

UPDATE (05/04/2007): The Wall Street Journal reported TJX had an outdated wireless security encryption system, failed to install firewalls and data encryption on computers using the wireless network, crooks were able to access data streaming between hand-held price-checking devices, cash registers and the store’s computers. 21 U.S. and Canadian lawsuits seek damages from the retailer for reissuing compromised cards.

UPDATE (07/10/2007): U.S. Secret Service agents found TJX customers’ credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers.

UPDATE (08/31/2007): Earlier this week the U.S. Secret Service said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy.

65M Visa cards In an August 31 deposition that was unsealed in federal court in Boston late Tuesday, Joseph Majka, Visa USA’s vice president of investigations and fraud management, said the association alerted card-issuing banks and other institutions about 65 million Visa accounts that may have been compromised. source

UPDATE (9/21/2007): A ring leader in this compromise was sentenced to five years in prison and has been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information.

UPDATE (09/25/2007): TJX announced the terms of a settlement for customers affected by the data breach — with strings attached. Credit monitoring will be offered to about 455,000 of the 46 million affected. TJX will reimburse customers who had to replace driver’s licenses as a result of the breach if they submit documentation for the time and money spent on replacing licenses. The company will give a $30 store voucher to those customers who submit documentation about their lost time and money. And TJX will hold a special 3-day sale with a 15% discount sometime in 2008. The settlement still needs to be approved by the court.

UPDATE (10/23/2007): Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million.

UPDATE (10/23/2007): The total number of records increased from 167 million to 215 million. Recent court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million, up considerably from 45.7 million credit and debit card account numbers initially thought to be compromised. Breach costs have been estimated at $216 million.

UPDATE (10/24/2007) AP via NBC News

BOSTON — At least 94 million Visa and MasterCard accounts may have been exposed to potential fraud in a data breach at TJX Cos., nearly double the previous estimate by the discount retailer.

The figure was included in court filings this week that cited officials from the credit card associations. … Depositions of security officials at Visa and MasterCard Inc., the two biggest credit card associations, suggest the breach was far bigger than TJX has indicated. Even before the latest numbers, independent organizations that track data breaches had called the case the largest ever.

TJX said in March that at least 45.7 million of its shoppers’ cards had been compromised, although it acknowledged it may never learn the total number.

In an Aug. 31 deposition with an attorney for banks suing to recover breach-related losses, Visa’s Majka said the association had alerted card-issuing banks and other institutions about 65 million Visa card accounts that may have been compromised. That number was as of June [2007], he said. [ highlighting ours -ed ]

UPDATE (11/30/2007): Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ’s Wholesale Club Inc.

More than 100M? After initially disclosing the data heist in January, TJX said in March that at least 45.7 million cards were exposed to possible fraud in a breach of its computer systems that began in July 2005. But the breach wasn’t detected until December 2006. Recent court filings by the banks suing TJX put the number of cards affected at more than 100 million, citing estimates from officials with Visa and MasterCard, who were deposed in the lawsuit. [ per http://usatoday30.usatoday.com/money/industries/retail/2007-11-30-tjx-visa-breach-settlement_N.htm ]

UPDATE (12/05/2007): An InternetNews.com article estimates TJX expenses at $500 million to $1 billion. In a settlement with VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.

UPDATE (12/18/2007): TJX has settled the lawsuit for an undisclosed amount. Although both sides said the settlement total would remain confidential, TJX said the costs were covered by a $107 million reserve that it set aside against its second-quarter earnings. TJX also has said that $107 million would cover the costs of another breach agreement: a November, 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network’s card-issuing banks recover expenses to replace customers’ Visa cards.

UPDATE (2/10/2008): Notices are going out to millions of customers who may have had credit card information compromised in a data breach. The notices contain information about eligibility for compensation such as vouchers and credit monitoring to be provided under a proposed settlement.

UPDATE (4/2/2008): TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year. They also struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach.

UPDATE (5/14/2008): The TJX Companies, Inc. today announced that it completed its previously announced settlement with MasterCard International Incorporated and its issuers. Financial institutions representing 99.5% of eligible MasterCard accounts worldwide claimed to have been affected by the unauthorized computer intrusion(s) at TJX accepted the alternative recovery offer under TJX’s previously announced Settlement Agreement with MasterCard.

UPDATE (8/5/2008): Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft. This is the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. An indictment was returned on Aug. 5, 2008. Conspirators obtained the credit and debit card numbers by wardriving and hacking into the wireless computer networks of major retailers — including TJX Companies, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The indictments are the result of a three-year undercover investigation conducted out of the San Diego Field Office of the U.S. Secret Service.

UPDATE (8/30/2008): TrustCo BankCorp NY sued TJX in August 2008 to recoup costs it incurred from reissuing an estimated 4,000 customer MasterCard debit cards after hackers accessed the TJX computer network. The bank stated its cost for the breach was up to $20 per affected account, explaining that it suffered losses from administrative expenses and lost interest and transaction fees. Later in the month, TJX in turn claimed that Trustco failed to implement policies or procedures that would have enabled the bank to avoid canceling and replacing customer debit cards.

UPDATE (9/22/2008):One of the 11 people arrested last month in connection with the massive data theft at TJX and several other retailers pleaded guilty yesterday to four felony counts, including wire and credit card fraud and aggravated identity theft. Many of the Internet attacks that he facilitated were SQL injection attacks, according to court documents. The stolen data was sold to cyber criminals in Eastern Europe and the U.S. or used to make fraudulent credit and debit cards.

UPDATE (6/26/2009): TJX has agreed to pay $9.75 million to 41 states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX’s systems in place at the time of the breach. Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.

UPDATE (7/28/2009): Pennsylvania and 40 other states reached a $9.75 million settlement.

UPDATE (9/4/2009): TJX settles for $525K with four banks. As part of the settlement with AmeriFirst Bank, Trustco Bank, HarborOne Credit Union and SELCO Community Credit Union, the Framingham, Mass.-based retailer paid $525,000. The money primarily will be used to cover the banks’ expenses in pursuing the legal action.

UPDATE (12/15/2009): A Miami hacker who had already pleaded guilty to computer fraud and identity theft for breaches at retailers T.J. Maxx, OfficeMax, and many other merchants, pleaded guilty on Tuesday to similar charges related to breaches at Heartland Payment Systems, 7-11, Hannaford Brothers supermarkets, and two other companies. Albert Gonzalez, 28, reiterated terms of a plea agreement in U.S. District Court in Boston. A week earlier, co-conspirator Stephen Watt of New York, appeared in that same court and was ordered to serve two years in prison and pay $171.5 million in restitution for developing a sniffing program used to grab payment card data in the breach at the TJX companies between 2003 and 2008.

UPDATE (3/17/2010): Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking. Zaman was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. Zaman is the second conspirator in the TJX case to be charged. Former Morgan Stanley coder, Stephen Watt, was sentenced in December to two years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card data from the TJX network.

UPDATE (3/29/2010): A 28-year-old college dropout who became the world’s biggest credit card hacker on Thursday was sentenced to 20 years in prison for stealing millions of credit union and bank account records from TJX Cos., BJ’s Wholesale Club, Office Max, Dave & Busters, Barnes & Noble and a string of other companies even as he was working as a $75,000-a-year undercover informant for the U.S. government in identity theft cases. But that’s not the end of it, as Albert Gonzalez is scheduled to be sentenced again to additional years behind bars for additional data thefts at Heartland Payment Systems, Hannaford Bros. supermarkets and 7-Eleven convenience stores. The theft of credit card data cost financial institutions, insurers and cardholders an estimated $200 million, according to law enforcement. JC Penney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JC Penney chain was one of Gonzalez.s victims, even though JC Penney’s media representatives were denying it. But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C. and Puerto Rico, had kept their identity secret.

UPDATE (4/16/2010): Damon Patrick Toey, the ‘trusted subordinate’ of TJX hacker Albert Gonzalez, was sentenced in Boston to 5 more years in prison. He also received a $100,000 fine and three years. supervised release, according to the Justice Department.

UPDATE (7/8/2010): TJX has settled another lawsuit. The Louisiana Municipal Police Employees’ Retirement System, a shareholder of TJX stock, settled with TJX for $595,000 in legal fees and enhanced oversight of customer files.

UPDATE (4/8/2011):Albert Gonzalez is appealing his conviction for his role in a large data breach by claiming that his actions were authorized by the Secret Service. The government acknowledged that Gonzalez was a key undercover Secret Service informant at the time of the breaches. In a 25-page petition, Gonzalez faulted one of his attorney’s for failing to prepare a “Public Authority” defense, which would have argued that he committed crimes with the approval of government authorities.

www.securityfocus.com/news/11493
www.informationweek.com/news/199203277
http://ctogonewild.com/2009/06/24/tjx-t-j-maxx-rea

 

Return to 2007 details page
Year links page
Return to References page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.