Fla., TJX differ on scam timeline
Police file suggests chain knew 9 months earlier of data breach
State investigators looking into the theft of more than 45 million credit and debit card numbers from TJX Cos. are trying to determine when the Framingham retailer first learned that its computer systems were compromised.
In recent weeks several legal documents in connection with the incident, the largest reported breach of card data in US history, have been filed in Florida courts and with securities regulators. The firm's timeline of events, however, doesn't match the version of events as outlined by Florida investigators.
TJX, parent of discount chains including TJ Maxx and Marshalls, said in a securities filing last month that it learned of the security breach in its systems on Dec. 18, when it discovered unauthorized software had been placed its computer systems. It also reported that it delayed notifying the public for a month, at the direction of the US Secret Service, which TJX said wanted to make sure a disclosure wouldn't compromise its ongoing investigation. The Secret Service is the federal agency that protects the nation's electronic-payment and financial systems.
However, a document filed by Florida police officials says that TJX reported a breach involving thousands of card numbers to the Secret Service in March of 2006, nine months earlier. Florida officials filed the document in connection with the arrests of six people charged with using information taken from TJX to steal millions of dollars with worth of goods.
Kim Bruce, a spokeswoman for the US Secret Service, disputed the suggestion that the agency learned of the breach in March 2006. "We first got the information from TJX in December and have been investigating since then," she said.
A TJX spokeswoman, Sherry Lang, called the March date in the Florida filing incorrect. "We stand behind our statements we have made in our press releases," she said. "We reported it to law enforcement in December of 2006. Anything else anyone is saying about this is incorrect."
The issue of timing is important because had TJX learned of and reported the problem earlier, security specialists say, customers and merchants could have had more warning to guard against fraud, potentially saving millions of dollars in losses. Several pending lawsuits against TJX question whether the company disclosed the breach early enough.
Randy Roberts, a detective in Gainesville, Fla., who signed the filing known as a probable cause affidavit, said he could not discuss the March date. He said he learned of the TJX connection to his investigation once it began in November. He referred further questions to a department spokesman, who declined to elaborate.
A group of state attorneys general led by Massachusetts Attorney General Martha Coakley is looking into the TJX data breach to determine whether consumer-protection laws were violated. In an interview yesterday, Coakley did not address the discrepancies directly, but said "we're looking at all the factors in this breach, including when and how it was discovered and when it was reported to the authorities."
Another participant in the group, Connecticut Attorney General Richard Blumenthal, confirmed that "the issue of timing relative to the discovery of this problem" is under investigation. Both Blumenthal and Coakley said they couldn't comment further.
Ross Kerber can be reached at kerber@globe.com. 
