The Federal Trade Commission said yesterday it is investigating TJX Cos. in connection with a major security breach at the Framingham retailer that potentially exposed millions of customers' credit and debit card data.
Agency officials, in response to a public request for information from the Globe, withheld dozens of documents relating to the TJX security breach because of a current investigation. In a March 8 letter the commission said "disclosure of that material could reasonably be expected to interfere with the conduct of the Commission's law enforcement activities."
TJX spokeswoman Sherry Lang said the company is cooperating with the FTC. "We placed the initial call to the FTC and reached out to them in advance of our public disclosure and briefed them of the entire situation in early January," Lang said. "We felt it was the right thing to do."
Last month, TJX said computer hackers may have gained access to its consumer data in 2005, a year earlier than it had previously believed. The Framingham discounter, which runs more than 2,500 stores worldwide including T.J. Maxx and Marshalls, first disclosed the security breach in January and said the intrusions began last year. After further review, the company found that thieves broke into the system as early as July 2005, stealing customer data, including driver's license numbers, as far back as 2003.
Customers across the country have reported fraudulent use in what could be one of the biggest losses of consumer data to date. TJX faces numerous lawsuits from individuals and banks that accuse the company of failing to adequately safeguard private data and of delaying disclosure of the breach. MasterCard International Inc. has acknowledged that TJX failed to meet a data-security standard set by card companies at the time of its breach.
Congressman Ed Markey , a Malden Democrat, has pressed the FTC to review TJX's data loss just as it investigated similar cases at other companies. The FTC is an independent agency that deals with consumer protection, antitrust, and other issues.
"An FTC investigation into the TJX data breach should uncover the extent of the harm suffered by TJX customers and shine a light on the security weaknesses at TJX that were exploited by data thieves hunting for consumers' personal information," Markey said yesterday in a statement.
"I hope that companies that collect and keep consumers' credit card numbers, addresses, and other sensitive information on file will learn lessons from the FTC's investigation, " added Markey. He is also cosponsoring a data security bill that requires companies to implement the strongest possible data safeguards and update them frequently to thwart thieves.
An FTC spokeswoman declined to comment on the TJX matter except to say there are no timelines for agency investigations. In the March 8 letter, the FTC said other records, including staff analyses, opinions, and recommendations related to the TJX security breach, were withheld because they are "deliberative and pre-decisional and are an integral part of the agency's decision-making process."
Over the past few years, the FTC has struck more than a dozen settlements with businesses following data security breaches.
One of the most extensive came last year, when data provider ChoicePoint Inc. of Georgia agreed to pay $15 million over alleged violations in security and record handling . In most other cases, the FTC has only told companies to strengthen security.
Jenn Abelson can be reached at firstname.lastname@example.org.