Winners, HomeSense hit with huge security breach


Financial information of millions of customers may have been compromised following a computer security breach at The TJX Companies Inc., the U.S. parent company of Canadian retailers Winners and HomeSense.

The Framingham, Mass.-based company suffered an “unauthorized intrusion” into its computer systems that process and store data on customer transactions involving credit cards, debit cards, cheques and merchandise returns.

The breach happened in December and exposed customer transactions that occurred during 2003 and from May to December of 2006.

TJX has said it does not yet know the full extent of the breach, nor how many customers may have been affected. (The company operates more than 2,300 stores globally.)

However the conglomerate has identified a “limited number” of credit and debit card holders whose information was stolen, and is providing that information to credit card companies. Also, a “relatively small number” of customer names and their drivers’ license numbers were taken.

While the intrusion occurred last month, TJX only made it public yesterday, stating that it did not disclose the matter earlier at the request of law enforcement agencies.

The company is working with the U.S. Department of Justice and Secret Service, and the Royal Canadian Mounted Police to help identify the culprits. They said they will be co-operating with card-issuers as well.

Companies, in particular retailers, can protect themselves and shoppers’ financial data by preparing for the worst, says Dave Cole, director of security response at Symantec Corp. in California.

“In the event of an external attack, which appears to be the case here, you have to start by defining and protecting your network perimeter.”

This is a crucial preventive step, says Cole, given many organizations have moved to wireless technologies. In some instances, companies incorrectly set up wireless access points resulting in built-in weaknesses.

But overall, routine testing, rolling out software patches and keeping the systems up to date are “tedious but so important”.

While retailers have a proactive role to play in securing financial data, so do consumers, says Cole. “It’s going to happen at some point that someone will lose your data. Practice good hygiene with monitoring your financial accounts.”

Cole suggests people regularly review their financial statements, and immediately report unusual activity to their financial institution. Also, many credit reporting agencies provide a credit monitoring service that will flag suspicious transactions.

To assist with customer concerns regarding the security breach, TJX has provided a toll-free help line. The number for Canada is 1-866-903-1408. Other help lines have been set up in the U.S., U.K., and Ireland.

The TJX fiasco was followed by news of another huge security breach in which CIBC lost a drive containing the personal data of around 470,000 mutual funds clients. Read more