Data Breaches

Breach Subtotal

Breach Type: all
Organization Type: all
Year(s) of Breach: all
Company or Organization:
Date Made Public:
January 17, 2007
Company: TJ stores (TJX), including TJMaxx, Marshalls, Winners, HomeSense, AJWright, KMaxx, and possibly Bob's Stores in U.S. & Puerto Rico -- Winners and HomeGoods stores in Canada -- and possibly TKMaxx stores in UK and Ireland
Location: Framingham, Massachusetts
Type of breach:
Type of organization:
Records Breached:

The TJX Companies Inc. experienced an unauthorized intrusion into its computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. It discovered the intrusion mid-December 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed. According to its Web site, TJX is the leading off-price retailer of apparel and home fashions in the U.S. and worldwide.

Note on our total: included in this breach are 45,700,000 credit and debit card account numbers; 455,000 merchandise return records containing customer names and driver's license numbers; recovery of about 200,000 stolen credit card account numbers; records then 1indicated an additional 48 million people have been affected. Totals were estimated at 94 million but now seem to have affected over 100 million accounts.

UPDATE  (2/22/2007):TJX said that while it first thought the intrusion took place from May 2006 to January 2007, it now thinks its computer system was also hacked in July 2005 and on various subsequent dates that year.

UPDATE (3/21/2007): Information stolen from TJX's systems was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials.

UPDATE  (3/29/2007): The company reported in its SEC filing that 45.7 million credit and debit card numbers were hacked, along with 455,000 merchandise return records containing customers' driver's license numbers, Military ID numbers or Social Security numbers.

UPDATE (4/22/2007): Initially, TJX said the break-in started seven months before it was discovered. Then, on Feb. 18, the company noted the perpetrators had access to data for 17 months, and apparently began in July 2005.

UPDATE (04/26/2007): Three states' banking associations (MA, CT, and ME) filed a class action lawsuit against TJX to recover the costs of damages totaling tens of millions of dollars incurred for replacing customers' debit and credit cards.

UPDATE (05/04/2007): An article in the WSJ notes that because TJX had an outdated wireless security encryption system, had failed to install firewalls and data encryption on computers using the wireless network, and had not properly install another layer of security software it had bought, thieves were able to access data streaming between hand-held price-checking devices, cash registers and the store's computers. 21 U.S. and Canadian lawsuits seek damages from the retailer for reissuing compromised cards.

UPDATE (07/10/2007): U.S. Secret Service agents found TJX customers' credit card numbers in the hands of Eastern European cyber thieves who created high-quality counterfeit credit cards. Victims are from the U.S., Europe, Asia and Canada, among other places, Several Cuban nationals in Florida were arrested with more than 200,000 credit card account numbers.

UPDATE (08/31/2007): The U.S. Secret Service Agency earlier this week said it has arrested and indicted four members of an organized fraud ring in South Florida, charging each of them with aggravated identity theft, counterfeit credit-card trafficking, and conspiracy.

UPDATE (09/21/2007): A ring leader in the TJX Cos.-linked credit card fraud, was sentenced to five years in prison and has been ordered to pay nearly $600,000 in restitution for damages resulting from stolen financial information.

UPDATE (09/25/2007): TJX announced the terms of a settlement for customers affected by the data breach -- with strings attached. Credit monitoring will be offered to about 455,000 of the 46 million affected. TJX will reimburse customers who had to replace driver's licenses as a result of the breach if they submit documentation for the time and money spent on replacing licenses. The company will give a $30 store voucher to those customers who submit documentation about their lost time and money. And TJX will hold a special 3-day sale with a 15% discount sometime in 2008. The settlement still needs to be approved by the court.

UPDATE (10/23/2007): Court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million.

UPDATE (10/23/2007): The total number of records increased from 167 million to 215 million. Recent court filings in a case brought by banks against TJX say the number of accounts affected by the thefts topped 94 million, up considerably from 45,7 million credit and debit card account numbers initially thought to be compromised. Breach costs have been estimated at $216 million.

UPDATE (11/30/2007): Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc.

UPDATE (12/05/2007): An article estimates TJX expenses at $500 million to $1 billion. In a settlement with VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.

UPDATE (12/18/2007): TJX has settled the lawsuit for an undisclosed amount.Although both sides said the settlement total would remain confidential, TJX said the costs were covered by a $107 million reserve that it set aside against its second-quarter earnings.TJX also has said that $107 million would cover the costs of another breach agreement: a Nov. 30 deal with Visa Inc. to help pay a maximum $40.9 million to help the network's card-issuing banks recover expenses to replace customers' Visa cards.

UPDATE (2/10/2008): Notices are going out to millions of customers who may have had credit card information compromised in a data breach. The notices contain information about eligibility for compensation such as vouchers and credit monitoring to be provided under a proposed settlement.

UPDATE (4/2/2008): TJX Cos. reached a settlement with MasterCard Inc. in which it will pay up to $24 million to banks and other institutions to cover fraud losses stemming from a massive data breach disclosed last year. They also struck a similar deal with rival card network Visa in which it agreed to pay up to $40.9 million. As in that deal, TJX said the costs of its MasterCard settlement are included in the $256 million the company has set aside to pay for computer work and other costs associated with the breach.

UPDATE (5/14/2008): The TJX Companies, Inc. today announced that it completed its previously announced settlement with MasterCard International Incorporated and its issuers. Financial institutions representing 99.5% of eligible MasterCard accounts worldwide claimed to have been affected by the unauthorized computer intrusion(s) at TJX accepted the alternative recovery offer under TJX's previously announced Settlement Agreement with MasterCard.

UPDATE (8/5/2008): Eleven perpetrators allegedly involved in the hacking of nine major U.S. retailers have been charged with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft. This is the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. An indictment was returned on Aug. 5, 2008. Conspirators obtained the credit and debit card numbers by wardriving and hacking into the wireless computer networks of major retailers -- including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. The indictments are the result of a three-year undercover investigation conducted out of the San Diego Field Office of the U.S. Secret Service.

UPDATE (8/30/2008): TrustCo BankCorp NY sued TJX in August 2008 to recoup costs it incurred from reissuing an estimated 4,000 customer MasterCard debit cards after hackers accessed the TJX computer network. The bank stated its cost for the breach was up to $20 per affected account, explaining that it suffered losses from administrative expenses and lost interest and transaction fees. Later in the month, TJX in turn claimed that Trustco failed to implement policies or procedures that would have enabled the bank to avoid canceling and replacing customer debit cards.

UPDATE (9/22/2008):One of the 11 people arrested last month in connection with the massive data theft at T JX Companies Inc., BJ Wholesale Clubs Inc. and several other retailers pleaded guilty yesterday to four felony counts, including wire and credit card fraud and aggravated identity theft. Many of the Internet attacks that he facilitated were SQL injection attacks, according to court documents. The stolen data was sold to cyber criminals in Eastern Europe and the U.S. or used to make fraudulent credit and debit cards.

UPDATE (6/26/2009): TJX has agreed to pay $9.75 million to 41 states and to implement and maintain a comprehensive information security program, designed to safeguard consumer data and address any weaknesses in TJX's systems in place at the time of the breach. Of the $9.75 million monetary payment under the settlement, $5.5 million is to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million is to reimburse the costs and fees of the investigation. Further, $2.5 million of the settlement will fund a Data Security Trust Fund to be used by the state Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.

UPDATE (7/28/2009): Pennsylvania and 40 other states reached a $9.75 million settlement.

UPDATE (9/4/2009): TJX settles for $525K with four banks. As part of the settlement with AmeriFirst Bank, Trustco Bank, HarborOne Credit Union and SELCO Community Credit Union, the Framingham, Mass.-based retailer paid $525,000. The money primarily will be used to cover the banks' expenses in pursuing the legal action.

UPDATE (12/15/2009):A Miami hacker who had already pleaded guilty to computer fraud and identity theft for breaches at retailers T.J. Maxx, OfficeMax, and many other merchants, pleaded guilty on Tuesday to similar charges related to breaches at Heartland Payment Systems, 7-11, Hannaford Brothers supermarkets, and two other companies. Albert Gonzalez, 28, reiterated terms of a plea agreement in U.S. District Court in Boston. A week earlier, co-conspirator Stephen Watt of New York, appeared in that same court and was ordered to serve two years in prison and pay $171.5 million in restitution for developing a sniffing program used to grab payment card data in the breach at the TJX companies between 2003 and 2008.

UPDATE (3/17/2010): Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking. Zaman was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers. Zaman is the second conspirator in the TJX case to be charged. Former Morgan Stanley coder, Stephen Watt, was sentenced in December to two years in prison for his role in the TJX case, which involved supplying Gonzalez with a sniffer program used to siphon card data from the TJX network. 

UPDATE (3/29/2010): A 28-year-old college dropout who became the world’s biggest credit card hacker on Thursday was sentenced to 20 years in prison for stealing millions of credit union and bank account records from TJX Cos., BJ’s Wholesale Club, Office Max, Dave & Busters, Barnes & Noble and a string of other companies – even as he was working as a $75,000-a-year undercover informant for the U.S. government in identity theft cases. But that’s not the end of it, as Albert Gonzalez is scheduled to be sentenced again to additional years behind bars for additional data thefts at Heartland Payment Systems, Hannaford Bros. supermarkets and 7-Eleven convenience stores. The theft of credit card data cost financial institutions, insurers and cardholders an estimated $200 million, according to law enforcement. JC Penney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JC Penney chain was one of Gonzalez.s victims, even though JC Penney's media representatives were denying it. But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C. and Puerto Rico, had kept their identity secret. No more and that.s the way Woodlock wanted it. 

UPDATE (4/16/2010): Damon Patrick Toey, the 'trusted subordinate' of TJX hacker Albert Gonzalez, was sentenced in Boston to 5 more years in prison. He also received a $100,000 fine and three years. supervised release, according to the Justice Department.

UPDATE (7/8/2010): TJX has settled another lawsuit.  The Louisiana Municipal Police Employees' Retirement System, a shareholder of TJX stock, settled with TJX for $595,000 in legal fees and enhanced oversight of customer files.

UPDATE (4/8/2011): Albert Gonzalez is appealing his conviction for his role in a large data breach by claiming that his actions were authorized by the Secret Service.  The government acknowledged that Gonzalez was a key undercover Secret Service informant at the time of the breaches.  In a 25-page petition, Gonzalez faulted one of his attorney's for failing to prepare a "Public Authority" defense, which would have argued that he committed crimes with the approval of government authorities.

Information Source:
Dataloss DB