Financial and personal information from at least 45.7 million credit and debit cards was stolen by hackers, according to The TJX Companies Inc., the U.S. parent of Canadian retailers Winners and HomeSense.
The data stems from transactions beginning January 2003 and ending Nov. 23 of the same year, the Framingham, Mass.-based company revealed in a regulatory filing with the U.S. Securities and Exchange Commission last week.
TJX, which operates more than 2,300 stores globally, first announced the security breach and resultant theft in January, but did not at the time disclose the number of credit and debit cards that were compromised – saying it did not yet know the full extend of the breach.
When the theft occurred, the filing says, around three-quarters of the cards had already expired, or data from their magnetic strips were concealed. Substituting numbers for asterisks is a practice the company began in September 2003.
According to the filing, another 455,000 customers who returned merchandise without receipts had their personal information stolen, including driver’s license numbers.
TJX did not provide the number of stolen cards for transactions occurring from Nov. 24 to June 28 of 2004.
Although it didn’t discover the computer breach until about three months ago, the company says systems were first compromised in July 2005.
The company has not identified a culprit and does not know if the crime was committed by a single, or multiple parties, the filing says. However, it did say “we believe that the intruder had access to the decryption tool for the encryption software utilized by TJX.”
No customer financial and personal data has been stolen after Dec. 18 of last year, when the company hired IBM Corp. and General Dynamics Corp. to investigate the incident.
TJX faces an investigation by the Federal Trade Commission, as well as lawsuits from banks and individuals who claim it did not adequately protect private data, and did not disclose the theft in a timely manner.
The company is continuing its forensic investigation into the incident, and is beefing up its computer system security, the filing says.
Authorities arrested six individuals in Florida last week, suspected of carrying out a fraud scheme using credit card numbers stolen from TJX. According to law enforcement officials, the suspects aren’t the actual hackers, rather they acquired the information from someone else.
The suspects bought large quantities of Wal-Mart gift cards using the stolen data, before redeeming the gift cards at other store locations.
The attack on TJX has made the company the biggest known victim, in history, of card fraud by hackers, according to industry observers.
TJX could not be reached for comment.
