In video message, TJX says it delayed reporting for security reasons

TJX Cos. of Framingham took a month to make public a computer security breach because it was trying to prevent further damage, the company's chairman said a full-page advertisement in Boston newspapers and a video message from chairman Ben Cammarata that was posted on the company website this morning.

TJX Cos., the parent company of discount retailers T.J. Maxx and Marshalls, discovered in mid-December that customer data had been stolen by computer hackers and used to make fraudulent debit card and credit card purchases, but didn't inform the public of the breach until mid-January.

"By delaying a public announcement, with the help of top security experts, we were able to contain the problem and further strengthen our computer network to prevent further intrusion," Cammarata wrote in the letter that ran in The Boston Globe Sunday and in the Boston Herald Monday. "Therefore, we believe we were working in the best interests of our customers."

TJX also will not offer to pay for credit-card monitoring for customers whose credit and debit card numbers had been compromised, Cammarata said in today's video.

"Based on the type of data involved in the breach of our systems, we don't believe that such monitoring will be meaningful to customers. In other words, credit monitoring does not detect fraudulent charges on your credit and debit card accounts," Cammarata said.

TJX has not reached out personally to most customers, Cammarata said, because much of the information stolen did not include customer names and addresses. Cammarata, however, said he has personally sent letters to a group of customers whose names, addresses, and drivers license numbers were stolen.

The letter, addressed to "Our Valued Customers," also detailed the company's efforts to prevent further computer system intrusions.

"We immediately engaged two leading computer security and incident response firms to investigate the problem and enhance our computer security in order to protect our customers' data," Cammarata said.

The company is working with law enforcement and banks and has set up customer help lines.

Cammarata also announced in the letter that the security breach didn't appear to involve transactions made at Bob's Stores, and that transactions using debit cards issued by Canadian banks weren't involved.

The fraudulent purchases have been made in Florida, Georgia and Louisiana, and overseas in Hong Kong and Sweden.

Cammarata also warned TJX customers to be wary of scams or hoax e-mails, and that TJX is not soliciting customer information via phone or e-mails.

In addition to T.J. Maxx, Marshalls, and Bob's Stores, TJX operates HomeGoods and A.J. Wright in the US, Winners and HomeSense in Canada, and T.K. Maxx in Britain.

TJX disclosed on Jan. 17 that hackers had broken into a system that handles credit and debit card transactions, as well as checks and merchandise returns. The company said the stolen customer data included information from 2003 transactions, as well as information from mid-May 2006 through December.
(By Jenn Abelson, Globe staff, and wire reports)

For previous coverage of the TJX data breach, click here.