TJX credit data stolen; wide impact feared

TJX Cos. yesterday said credit and debit card information was stolen from its computer systems, a breach that could affect a broad swath of customers of T.J. Maxx, Marshalls, and other stores.

The Framingham retailer, which operates 2,500 outlets, said it does not know yet how much data was taken, though one banking official estimated that up to millions of cardholders could be affected.

Data leaks are becoming an increasing threat to consumers and to the payment systems that handle millions of transactions per day. But the TJX case is unusual since it was the result of theft rather than the more common inadvertent losses.

TJX said yesterday in a statement that it learned in mid-December it had "suffered an unauthorized intrusion" into the parts of its computers that process and store details of customer purchases. TJX spokeswoman Sherry Lang said in an interview that an outside computer consultant first found the problem.

The company said the intrusion involved the portion of its network that handles credit card, debit card, check, and merchandise return functions of various stores in the United States and Canada, and potentially locations in Britain and Ireland as well.

So far TJX said it has identified "a limited number of credit card and debit card holders whose information was removed from its system." Also, TJX said "a relatively small number of customer names with related drivers' license numbers" was taken. Lang said these customers number "substantially less than millions."

But a second potentially larger group's data covering periods in 2003 and 2006 "may have been accessed," the company said. Lang said that TJX knows of no misuse of customer data so far but reiterated that TJX does not know the full extent of the breach.

Visa USA has notified at least eight banks in Massachusetts that cards they issued may have been affected by the theft, said Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, and the number could go higher as the group finishes a survey of its 205 member banks.

Spitzer said that up to millions of consumer credit and debit cards could be affected by a breach involving a company as large as TJX, though banks so far haven't been told many details of the incident. TJX is one of the country's biggest off-price retailers, selling discounted apparel and home goods.

TJX chairman and acting chief executive Ben Cammarata in a statement called the breach a "crime" and urged customers to review their credit card and debit card statements for any fraudulent transactions. TJX has also set up a special help line, 1-866-484-6978, to answer customers' questions and provided information on its website, www.tjx.com.

Under Massachusetts law, consumers are only liable for only up to $50 worth of fraudulent purchases, Spitzer said.

Visa in a statement said it is working with TJX and law enforcement and reviewing all transactions to help banks that issued its cards to distinguish fraudulent transactions from legitimate ones.

"All major card brands accepted by the retailer are affected by the [data] compromise," Visa said.

MasterCard Inc. said in a statement that it has warned banks about the TJX theft, and that, like Visa and other companies, its rules protect its customers from most liability. An American Express Co. spokeswoman said some of its cards could also be affected.

Among large Massachusetts banks, a spokesman for Citizens' Bank said none of its cardholders were affected. A Bank of America spokeswoman said it knows of the breach but declined to discuss if its customers were affected. A Sovereign Bancorp Inc. spokesman said it is still reviewing the matter.

Credit and debit cards are mostly issued by banks ranging from small savings and loan organizations to giants like Bank of America. Their use has soared to account for 40 percent of consumer spending in 2005, up from 30 percent in 2000, according to Nilson Report, a California newsletter tracking the payments industry. When customers use such cards to buy goods and services, their payment information is transmitted from vendors' cash registers across massive data networks maintained by processing companies.

Mark Rasch, a former federal prosecutor now an attorney for Nebraska data security firm Solutionary Inc., said a common vulnerability for a retailer like TJX occurs when they use a single processing system for customer data across all of their brands, such as TJX's various stores.

"You're looking for a single point of failure here," he said. "There was something that all these enterprises had in common."

Many other companies have reported data losses as well. Some cases have involved direct hacking in which intruders stole information from the systems, such as a 2006 incident that compromised data on nearly 200,000 customers of stores including OfficeMax Inc.

Other cases involved more inadvertent breaches, such as a 2005 incident when Time Warner lost data backup tapes.

TJX said it kept its breach secret until late yesterday at the request of law enforcement agencies it had contacted, including the US Justice Department and the Royal Canadian Mounted Police. It did not say why it disclosed the information.

TJX said it has hired General Dynamics Corp. and IBM Corp. to review and improve its computer security.

Ross Kerber can be reached at kerber@globe.com. Globe reporter Keith Reed contributed to this report.