TJX, the parent company of national discount chains such as T.J. Maxx and Marshalls, disclosed on Wednesday that identity thieves had breached its security measures and gained access to a computer network on which the company stores its transaction data. The theft could involve consumers from the U.S., Canada and the British Isles.
According to the company, compromised data includes credit card, debit card, checking and drivers’ license information, as well as information related to transaction returns. The Framingham, Mass.-based company said it has identified some of the stolen customer information, but has not fully identified the scope of the theft and how many shoppers may have been affected.
“To date, TJX has been able to specifically identify a limited number of credit card and debit card holders whose information was removed from its system,” the company said in a statement. “In addition, TJX has been able to specifically identify a relatively small number of customer names with related drivers’ license numbers that were also removed … and TJX is contacting these individuals directly.”
TJX discovered the thefts in mid-December just before the Christmas holiday. The company immediately contacted law enforcement and also notified credit card companies about the breach.
The investigation, conducted in cooperation with the U.S. Department of Justice, Secret Service and the Royal Canadian Mounted Police, has revealed that the “unauthorized incursion” at some of its stores in the U.S., Canada and Puerto Rico included credit and debit card sales transactions from as long ago as 2003. Transaction data between May and December of 2006 may also have been stolen.
Thus far, the ongoing investigation has determined the breach could have international impact, with the confidential data of Canadian, Puerto Rican and American patrons of T.J. Maxx, Marshalls, HomeGoods, A.J. Wright, Winners and HomeSense stores potentially compromised. T.K. Maxx customers in the United Kingdom and Ireland, as well as Bob’s Store consumers in the U.S., could also be at risk.
Consumer Protect Thyself
While there is little TJX customers can do to protect their personal data when it is in the hands of a third party, security experts and TJX recommend consumers take some basic steps. Most importantly, they should carefully review their bank account and credit card statements for any unauthorized purchases. If they suspect that they have been the victim of a fraud, they should contact their credit or debit card company immediately.
“If you don’t habitually check your credit card statement, you should,” said Ron O’Brien, senior security analyst at Sophos, a computer security firm.
Online shoppers should also make sure that they only conduct electronic transactions on a secure site. They can identify a secure site by looking at the Web address, O’Brien explained. If a site is secure, the URL will begin with “https.” In addition, he warned consumers not to click on a link contained in an e-mail or an e-mail attachment, lest they become victims of a phishing scheme.
“[Phishing] is nothing more than an attempt to gain information from you that they can then use to gain access to other accounts,” O’Brien said.
Standards in Place
Retailers have been relatively proactive in securing their systems, said Rob Ayoub, a Frost and Sullivan analyst. One example is the adoption of the PCI Data Security Standard. Created by Visa and Mastercard, the standard requires retailers to build and maintain secure networks, protect card-holder data, maintain vulnerability programs, implement strong access control measures and conduct regular tests and monitoring of their networks.
“Legislation like PCI has really started to tighten up the security requirements for retailers and processors, and I believe it will continue to improve things,” said Ayoub.
Identity theft has become an epidemic that lawmakers and the banking industry need to take much more seriously, said Gartner analyst Avivah Litan. As thefts continue, there is growing evidence that criminals are developing files on their victims, Litan said.
“These criminals are piecing together information on American citizens and residents. They have records on tens of millions of consumers. And this latest breach was part of a well-orchestrated attack,” she said.
The thieves acquire the information any way they can, Litan said — through retailer breaches, brokerage accounts, or phishing attacks. “They use all the tools in their arsenal,” she continued, “and the steps being taken to protect us are just baby steps.”
Real ID Act Just a Start
Too much blame is being placed on retailers, and expecting the retailers to become security experts is unrealistic, according to Litan. Changes need to be made in the payment and identity systems in the U.S. Changing the fundamentals of the payment system so that it doesn’t matter if data stolen is an important first step.
“There are user authentication technologies out there that can do that,” Litan said. “But the banks don’t want to spend the money to update the cards.”
The Real ID Act, which became law in May of 2005 as a way to make sure documents submitted for a driver’s license are not counterfeit, is a good start, Litan claimed. The bill establishes national standards for state-issued driver’s license and ID cards. However, the slow pace of adoption gives identity thieves plenty of time to execute their schemes.
“With more and more of these crimes originating in the Middle East by people with political agendas against the U.S., that increases the risk that we will be hit with cyberterrorism,” Litan concluded.