23 June 2017
download the report now

TJX hack is biggest ever with 45.7 million card numbers stolen

29 March 2007  |  14284 views  |  1 biometric  eye

Fraudsters who hacked the computer systems at US retailer TJX managed to steal more than 45.7 million credit and debit card numbers over a period of more than 18 months, making it the biggest breach of personal data ever.

In addition personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen.

The retailer revealed on 17 January that the computer system it uses to process and store information related to customer transactions had been hacked, potentially exposing millions of customers' credit and debit card numbers, as well as driver's licence information.

In an SEC filing TJX says it first detected the suspect software on 18 December last year but believes its systems were first accessed in July 2005 and on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, although no customer data was stolen after 18th December.

Hackers placed unauthorised software on TJX's computer network and stole at least 100 files containing data on millions of accounts from systems in Framingham, Massachusetts and Watford in the UK.

These systems are used to process and store transaction information. TJX also believes the technology used by hackers in 2006 could have enabled them to steal card data from the Watford system during the payment process, when data is transmitted to the card issuer without encryption.

But even data that was encrypted may have been compromised as TJX believes the hackers may have had access to its decryption tool.

The scale of the TJX breach eclipses the compromise at Cardsystems in 2005 the exposed more than 40 million credit cards to hackers, which was previously the largest known compromise of financial data.

Last month the office of the Massachusetts Attorney General said it was leading a multi-state civil investigation into the TJX security breach. Lawmakers in the state are considering introducing a bill that would make retailers liable for any costs and losses incurred as a result of a security breach.

TJX says the incident has already cost $5 million, although it says it can't currently estimate total losses.

Debit and credit card data exposed in the compromise is thought to have been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.
KeywordsCARD FRAUD

Comments: (1)

A Finextra member
A Finextra member | 18 August, 2009, 12:50

The largest would be "US man charged with stealing 130 million card numbers" now. (http://www.finextra.com/fullstory.asp?id=20382)

This man was involved in TJX Case too.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

TJX data breach widens; may include UK and Ireland customer data

TJX data breach widens; may include UK and Ireland customer data

22 February 2007  |  6027 views  |  0 comments
Massachusetts attorney general to probe TJX data breach

Massachusetts attorney general to probe TJX data breach

09 February 2007  |  8587 views  |  0 comments
Personal data security breaches hit 100 million milestone in US

Personal data security breaches hit 100 million milestone in US

19 December 2006  |  11348 views  |  0 comments
Data breach hype is misleading consumers - study

Data breach hype is misleading consumers - study

14 September 2006  |  10750 views  |  0 comments
US committee approves data security legislation

US committee approves data security legislation

31 March 2006  |  7550 views  |  0 comments
US banks fall victim to large-scale hacking and skimming fraud

US banks fall victim to large-scale hacking and skimming fraud

10 March 2006  |  15645 views  |  0 comments
Citibank blocks ATM cards after retailer breach

Citibank blocks ATM cards after retailer breach

07 March 2006  |  18811 views  |  0 comments
CardSystems settles federal charges

CardSystems settles federal charges

24 February 2006  |  7427 views  |  0 comments
Call for card companies to name and shame unsafe merchants

Call for card companies to name and shame unsafe merchants

16 February 2006  |  13400 views  |  0 comments
Choicepoint to pay $15m for data breach

Choicepoint to pay $15m for data breach

26 January 2006  |  7812 views  |  0 comments
US consumers want companies fined for security breaches

US consumers want companies fined for security breaches

08 July 2005  |  18134 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
visit wavestone-advisors.co.ukvisit www.finastra.comvisit www.response.ncr.com

Top topics

Most viewed Most shared
Worldpay pilots app-only mPOS for small retailersWorldpay pilots app-only mPOS for small re...
8687 views comments | 17 tweets | 27 linkedin
Live: EBAday 2017, day twoLive: EBAday 2017, day two
8539 views comments | 4 tweets | 5 linkedin
Live: EBAday 2017, day oneLive: EBAday 2017, day one
7810 views comments | 3 tweets | 4 linkedin
UK banks will need to change one million sort codes under ring-fencing rulesUK banks will need to change one million s...
7665 views comments | 8 tweets | 25 linkedin
Open banking rules to trigger new wave of challengersOpen banking rules to trigger new wave of...
6364 views comments | 20 tweets | 23 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job