by Paul Roberts
News
Jan 18, 20074 mins
CybercrimeData BreachNetwork Security
The TJX Companies, a large retailer that operatesmore than2,000 retail stores under brands such as Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx and A.J. Wright, said on Wednesday that it suffered a massive computer breach on a portion of its network that handles credit card, debit card, check and merchandise transactions in the United Statesand abroad.
The company does not know the extent of the breach, which was first discovered in December 2006. However, hackers may have made off with credit and debit information from transactions in the United States, Canada and Puerto Rico in 2003 as well as transactions between May and December 2006, according to a company statement.
Banking officials in Massachusetts say the TJX breach is behind a recent warning by Visa to banks in Massachusetts, which have contacted customers in recent days and had to reissue thousands of ATM and debit cards. In the end, the hack may affect a wide range of credit card companies and thousands of consumers inAmerica and in countries like the United Kingdomand Ireland, experts say.
TJX said it is working with IBM and General Dynamics to investigate the breach, which is believed to have occurred on computer systems that process and store information on customer transactions for T.J. Maxx, Marshalls, HomeGoods and A.J. Wright. Transactions from T.K. Maxx in the United Kingdomand Ireland may have also been exposed in the breach.
TJX said it knows of “a limited number of credit card and debit card holders whose information was removed from the system,” and has provided that information to credit card companies. TJX is also working with law enforcement, including the U.S. Department of Justice, U.S. Secret Service and Royal Canadian Mounted Police, TJX said in its statement.
The company said it does not yet have enough information to determine the extent of the breach or what other customer information may have been compromised, nor can it quantify the financial impact of the breach.
Between eight and 10 Massachusetts banks have already had customers whose accounts were raided as a result of the breach. Those banks have had to reissue debit cards in response, said Bruce Spitzer, director of communications at the Massachusetts Bankers Association (MBA).
However, the MBA is still surveying its membership of 205 banks and credit unions. The effect of the TJX hack could be much wider and international in scope, he said.
Fitchburg Savings Bank in Fitchburg, Mass., has had to reissue 1,300 cards to customers whose account information was stolen, said Linda Racine, an executive vice president at the bank.
Fitchburg Savings was contacted by Visa on Monday night about the compromised customer accounts. However, the credit card company would not reveal the identity of the retailer that was the source of the breach, citing company rules, Racine said.
Fitchburg savings has sent letters to customers and reissued cards for affected accounts. However, no Fitchburg Savings customers appear to have been victims of fraud so far, she said.
The TJX breach recalls other recent hacks, including BJ’s wholesale club and another, reportedly at OfficeMax in 2005. Those breaches, as well as incidents like the hacking of card processor Card Systems, prompted the payment card industry to issue new rules, dubbed the PCI, about how sensitive data is stored and transmitted on internal systems.
However, Spitzer of the MBA said that banks still bore the brunt of security breaches at retailers because they have to pay to reissue cards to customers and absorb the financial losses from unauthorized account withdrawals. Small banks and credit unions often have trouble absorbing those costs, though they are not at fault in the breach itself, Spitzer said.
Spitzer took issue with the delay between the time TJX learned of the breach and when his organization and banks were notified as well as with Visa’s policy of keeping the source of the breach a secret.
“We would have liked to know sooner,” he said.
MBA is working with state and federal lawmakers to hold card companies and retailers more accountable for the costs of security lapses, he said.
Related content
- newsZscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. ByShweta SharmaMay 09, 20243 minsData BreachCyberattacks
- newsPalo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies.ByPrasanth Aby ThomasMay 09, 20243 minsGenerative AISecurity Software
- newsF5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes.ByLucian ConstantinMay 08, 20245 minsThreat and Vulnerability ManagementCloud SecurityVulnerabilities
- newsSuspected Chinese hack of Britain’s Ministry of Defence linked to contractor, minister confirms The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner.ByJohn DunnMay 08, 20244 minsAerospace and Defense IndustryData BreachGovernment
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
