THIS STORY HAS BEEN FORMATTED FOR EASY PRINTING

TJX says theft of data may go back to 2005

By Ross Kerber
Globe Staff / February 22, 2007

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Your article has been sent.

Text size +

TJX Cos. yesterday said computer hackers may have gained access to its consumer data in 2005, a year earlier than it had previously thought, potentially exposing millions more customers of stores such as T.J. Maxx and Marshalls to identity theft.

The disclosure comes a month after the Framingham retailer reported that credit- and debit-card information dating to 2003, along with some driver's license data, may have been compromised during an unauthorized intrusion into its computers. Customers have reported fraudulent use, and the company faces a slew of lawsuits from individuals and banks that issued the cards.

Separately, a spokesman for MasterCard International Inc. said yesterday that at the time of the breach TJX did not meet a data-security standard set by card companies. TJX spokeswoman Sherry Lang declined to respond to MasterCard's assertion.

Lang also declined to say how many more customers could be affected. Last month, she acknowledged that potentially millions of shoppers may have had their data exposed to fraud. The company does not know, Lang added, if the people responsible for the 2005 breach are the same hackers who broke into the system in 2006.

The incremental disclosures suggest TJX was using weak technology, payment industry specialists said.

"It's pretty clear their systems were out of date," said Gartner Inc. technology analyst Avivah Litan. "It's very unlikely they had the auditing tools they needed to determine what data was exposed."

Litan estimated that yesterday's disclosures could enlarge the pool of customers at risk of identity theft by millions.

After discovering the hacking, TJX hired more than 50 security experts to help contain and investigate the problem. Last month, TJX said it discovered the breach in mid-December. Yesterday, TJX said contractors reviewing the systems found that intrusions had occurred as early as July 2005; previously the company believed the intrusions began in 2006.

Yesterday, TJX also said some customer transaction data at stores in the United States, Puerto Rico, and Canada from January 2003 through June 2004 were compromised, beyond its past reports of problems.

Previously, the company reported that much of this information "had potentially been accessed," suggesting it might not have been taken or copied.

In addition, TJX said that it had "found evidence of an intrusion" to systems that process transactions for its British and Irish TK Maxx stores; previously it had said only that it was concerned about that data.

The retailer said it suspects the data may have been compromised but hasn't confirmed any theft of the information. TJX, which operates more than 2,500 stores worldwide, reiterated that information from transactions at its Bob's Stores chain and transactions made with debit cards from Canadian banks had not been compromised.

TJX also said yesterday that it had found additional driver's license numbers were compromised, along with names and addresses, related to merchandise returns at T.J. Maxx, Marshalls, and HomeGoods stores in the United States and Puerto Rico, in the last four months of 2003 and in May and June of 2004. Identity thieves often seek driver's license data to help them construct profiles for fraudulent online purchases and similar scams.

"There's a major effort going on at this company to find out more information," Lang said. "It's a really complex job and very time-consuming. By necessity it's taking time, and that's why we were able to say what we did in January, and today we were able to say more."

A test for TJX now is whether shoppers will be turned off by the lack of details about the security breach, or simply dismiss the matter as an unavoidable shopping risk.

Richard Nicolazzo, a Boston crisis-communications consultant, said TJX would do better by making public a more specific estimate of the scope of the breach, such as whether it could affect 50 people or 50 million.

"In any crisis, part of what you want to do is create a context and a framework for people. Here, people simply don't know if their privacy has been compromised, which puts into question the credibility of the leadership and the brand," he said.

TJX appears to have suffered little financial fallout. Its stock fell just 2 percent yesterday after the company disclosed the new problems, along with its fourth-quarter earnings. For the three months ended Jan. 27, TJX said, profit fell to $205 million from $288 million in the same period a year earlier.

Store closings led TJX to take a $38 million charge, while the cost of investigating the breach and upgrading systems was $5 million through the end of the quarter.

On an earnings webcast with analysts yesterday, TJX executives said that store traffic through the end of January hasn't suffered since its Jan. 17 announcement of the security breach. "I want to assure our shareholders that our operational management team isn't being distracted from our core business or our opportunities to grow," said chief executive Carol Meyrowitz on the webcast.

Mark Montagna, analyst at CL King in New York, said yesterday's share decline had more to do with lower-than-expected earnings guidance TJX gave yesterday than the data problems.

"I don't think that overall Wall Street is seeing it as that big an issue," Montagna said.

He praised TJX's management and noted that other retailers have faced similar security problems. "Once they get this resolved, it's behind them," he said.

TJX appears to be betting that customers whose accounts are compromised will focus their ire on banks that have to replace their credit cards, rather than on the retailer , said Ken Steinberg, chief executive of Savant Protection Inc. , a Nashua, N.H., maker of security software.

"The retail shopping public has a very short memory, and this isn't going to keep people away," he said.

Ross Kerber can be reached at kerber@globe.com.