TJX Companies released Thursday some of the findings from its investigation into the massive security breach it announced last month that indicated the problems go back much earlier than last Christmas.
The breach is believed to have occurred between May 2006 and mid-December of 2006, but the report states that the investigation has unearthed other, earlier breaches, including several incidents in 2005. TJX discovered the most recent intrusion in December and reported it to authorities in the U.S. and Canada as well as the major credit card companies and its payment processors soon after it happened but at the request of law enforcement, it was kept quiet until late January.
TJX operates the Winners and HomeSense stores in Canada and T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico.
Brian O’Higgins, CTO of Third Brigade, a host intrusion defense systems vendor, said, “They’re following the honest disclosure course.”
“They’re handling it extremely well — totally transparently. You normally find that thy don’t talk about it at all,” said Andrew Graydon, CTO of security company BorderWare. (Although, as O’Higgins points out, the company was compelled to inform its customers, as some of them live in the 34 states that have breach notification laws.)
The damage, apparently, stretches back even further than 2005 — the report said that a year-and-a-half’s worth of credit and debit card transactions at TJX’s stores in the United States, Canada, and Puerto Rico were also compromised between January 2003 and June 2004. Among the transactions that happened during this breach, names and addresses linked to the credit and debit cards were not leaked, and transactions made at Bob’s Stores or with debit cards issued by Canadian banks were unaffected.
“The Canadian debit network doesn’t extend into the U.S.,” said Anna Rossetti, president of Giesecke & Devrient Systems Canada, a smart card solutions provider. She said that the States’ debit network is more fragmented and less integrated, which, in addition to the lack of a PIN on some cards, makes the debit transactions more open to tampering.
The years 2003 and 2004 also saw drivers’ license numbers — with names and addresses attached — also compromised; TJX plans to notify the customers’ who information was snatched.
T.K. Maxx customers in the U.K. and Ireland will be left hanging for a while, however. TJX has uncovered evidence that the T.K. Maxx customer transaction portion of its system has suffered an intrusion, and suspects that the information within has been compromised, but cannot confirm it.
To deal with the fallout from the breach, TJX has set up several help-lines for its customers. It has also employed over 50 experts from, according to the press release, “the leading computer security experts” to assist with the “very large team” running the investigation; they are also beefing up system security. (Neither McAfee nor Symantec could be reached for comment on whether they are the security vendors employed.)
“That sounds like a lot of people,” said O’Higgins. “They must have a massive problem on their hands, and a really complex back-end system.” He estimated that an investigation of this size could continue for many months.