TK Maxx admits hacker's theft of data from 45.6 million credit cards

Posted on 30 Mar 2007 at 09:42

Fashion retailer TK Maxx has revealed that hackers have stolen credit card information for 45.6 million of its customers in the UK, US and Canada.

The company said that the hacker had accessed its data centres in Watford and Massachusetts and stole details of four years of transactions up to December of last year.

Customers' names, card numbers and personal data were stolen and have already been used for fraudulent transactions in the US, where six people were charged last week.

Two-thirds of the compromised cards, 30.6 million, had expired by the time of the security breach, and a further 3.8 million had encrypted data. However the information from the remaining 11.2 million was readily accessible.

TK Maxx's parent company, TJX, spotted the intrusion shortly before Christmas when it discovered software on its computers that should not have been there. US authorities were notified soon afterwards, after the breach had been confirmed by security experts. Once the scale of the breach became known, TJX contacted other law enforcement agencies in the affected countries, including the Metropolitan Police.

Banks have been forced to re-issue millions of credit cards and criticised the company for the weakness of its security systems.

Jamie Cowper, a data security expert for PGP Corporation, said that new standards such as the Payment Card Industry Data Security Standard which come into force in June 2007 will mean that companies that fail to protect customer information could face losing their credit card facilities altogether.

'This is a frightening illustration that when retailer systems are hacked - even if it occurs on the other side of the world - the card details of customers in every country are at risk because of the way companies share and store information globally,' Cowper said. 'Security technologies such as encryption can greatly simplify the process of protecting information - but the recent spate of data breaches in the news suggests that many companies are still a long way off being compliant with this and other data protection standards.

Carol Meyrowitz, TJX's president and chief executive officer, apologised to TK Maxx customers.

'I personally regret any difficulties you may experience as a result of the unauthorised intrusion into our computer systems,' she said. 'We are working with leading computer security firms to investigate the problem and enhance our computer security in order to protect our customers' data. We are dedicating significant resources to evaluate the issue. Given the nature of the breach, the size and international scope of our operations and the complexity of the way credit card transactions are processed, the evaluation is, by necessity, taking time.'

The company has set-up a UK freephone number for enquiries: 0800 779015. It said customers should review their statements and if any unauthorised or suspicious card use is detected contact the card issuer or bank immediately.

Author: Simon Aughton