TK Maxx hit by theft of 46m credit card details


DW Regular
May 24, 2005
TK Maxx hit by theft of 46m credit card details

Computer hackers targeting the cut-price fashion retailer TK Maxx have stolen information from 45.7m credit and debit cards on both sides of the Atlantic, in one of the biggest electronic heists of its kind.

TK Maxx's American parent company, TJX, revealed the extent of the "unauthorised intrusion" in its annual report yesterday, which said somebody had used sophisticated software to access its data centres in Watford and in Framingham, near Boston.

The hacker was able to snatch potentially sensitive details from four years of transactions up to December last year, including information from shoppers who visited the company's 210 department stores in Britain.

"We suspect that customer data for payment card transactions at TK Maxx stores in the UK and Ireland has been stolen," said the company. "We suspect that these files contained payment card transaction data, some or all of which could have been unencrypted and unmasked."
Names, card numbers and personal data were stolen - including, in the case of American shoppers, social security numbers.

The company said there was evidence that the information had been used for fraudulent transactions. Six people were charged in Florida last week with using TJX data to buy $1m in Wal-Mart gift cards which were used to pay for electronics and jewellery.

Of the details stolen in both Britain and America, 30.6m came from cards which had expired at the time of the breach, while 15m were unexpired. Of those still valid, 3.8m had "masked" or encrypted information but 11.2m had clearly accessible data.

TJX became suspicious a week before Christmas when it discovered unfamiliar software on its computer systems. The company called in experts from IBM and General Dynamics and notified the US secret service a few days later.

When the scale of the breach became clear, TJX informed the Metropolitan Police and Britain's information commissioner, in addition to law enforcement bodies in the US and Canada.

The company is already facing lawsuits from angry shoppers, banks and credit card companies and has set aside $5m to cover the cost of the investigation.

Banks, which have been forced to re-issue debit and credit cards to affected customers, have been critical of the company, which initially disclosed that it had a problem in January but then said that the amount of information stolen was "substantially less than millions".

Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, told the Boston Herald that the firm had not been very forthcoming about the size of the breach, adding: "They didn't have good systems in December, and obviously they didn't have them for years before."

The US firm opened its first British store in 1994 and has become renowned for offering bargain prices on clothing from designer labels such as Armani, Calvin Klein and DKNY.

In a message on TK Maxx's website, the group's chief executive, Carol Meyrowitz, has offered a personal apology to customers and has provided a free phone number for anybody who believes they may have been affected: 0800 779015.

Andrew Clark in New York
Friday March 30, 2007
Guardian Unlimited
Guardian News and Media Limited 2007


DW Regular
May 24, 2005

TK Maxx faces inquiry after theft of credit card details

The discount clothing retailer TK Maxx is facing an investigation into whether it broke the law by keeping payment information stolen in the world's biggest theft of credit card details.

The Information Commissioner's Office (ICO) said last night that it was seeking an explanation from the British arm of the American giant TJX as to why its computer system held credit and debit card information that was up to three years old. Under data protection legislation, retailers are only permitted to keep details for as long as there is a "business purpose".

Experts questioned whether holding the data for transactions between 2003 and 2004 could be justified when many retailers wiped such information after three months.

A spokeswoman for the ICO, which has the power to bring prosecutions under the Data Protection Act, said: "We take breaches of privacy such as this extremely seriously. We are in close contact with TK Maxx, and the period of retention of this data is something we will be investigating."

The inquiry was launched as British customers of TK Maxx were warned to check their credit card and bank statements for fraudulent transactions after it emerged that nearly 45.7 million payment card details were stolen from the company's computers.

TJX said its computers had been hacked in America and Britain from July 2005 until December 2006. The exact number of intrusions and how many people were involved may never be known. Investigators in America believe the stolen numbers have been sold on.

The group confirmed yesterday that it did not know what exactly was held in two files stolen from its computers in Watford. A spokeswoman for TJX, said: "We have identified two files that were removed from our UK system. But we don't know what was in them because of the software used in the intrusion and the deletions we perform in the normal course of our business."

Police in Florida charged six people last week with using stolen details to try to buy electrical goods worth $8m (£4.1m). They are searching for four other suspects. It was still unclear last night whether any British customers' details had been used in the transactions.

Although the scale of the theft comfortably exceeds the previous largest of its kind, when 40 million card details were compromised in 2005, banking experts backed claims from TJX that most of the stolen data will be useless. Information from about 75 per cent of the cards will have already expired or be be masked and unreadable.

A spokesman for Apacs, the UK bank clearing organisation, said most people in Britain now use a different card because of the introduction of chip and pin.

But the organisation, which processes 97 per cent of payments in Britain, echoed concern at the length of time that TK Maxx had kept the data.

Retailer with a winning formula

With its unique formula of spartan shop fittings and clothing rails creaking with must-have brands at knockdown prices, TK Maxx has staged a stealthy takeover of a large chunk of Britain's £80bn retail clothing market.

From the opening of its first store in Bristol in 1994, the company now has 210 stores in the UK, and last year recorded sales of £920m. It is now one of the biggest players in the "value retail" sector.

But while its competitors rely on selling T-shirts for £1 and jeans for £3, TK Maxx adopted a strategy of snapping up bargains from other retailers and selling them to its customers for up to 60 per cent off. It also sells homewares, furniture, toys and textiles.

Another of the key elements to the chain's success has been its seduction of the middle classes. While few would confess to buying their underwear from Asda, the latest bargain from TK Maxx is a hot topic of conversation.

By Cahal Milmo
Published: 31 March 2007
© 2007 Independent News and Media Limited