The Scope of the TJX Scam

by MR Magazine Staff

NEW YORK – The TJX Companies Wednesday coughed up some of the numbers about its massive payment card scam and, while admittedly incomplete, they are enormous nonetheless.

The nation’s largest off-price retailer disclosed that at least 45.7 million of its customer records were stolen through computer theft in 2005 and 2006, but said that nearly three-quarters of them couldn’t be used by the hackers.

In its annual report, filed with the Securities and Exchange Commission on Wednesday, the company provided the first specific numbers about the investigation into the card fraud discovered in mid-December and first disclosed in mid-January.

Emphasizing that it hadn’t yet uncovered the total extent of the theft, and possibly won’t ever be able to, Framingham, Massachusetts-based TJX said that, in addition to the 45.7 million card records garnered through hacking, another 455,000 customer records were obtained based on data entered into its system about merchandise returned to it without receipts.

However, the overwhelming majority of these records were either for expired cards or for accounts that were entered into its system in encrypted form, meaning that asterisks substituted for numbers.

But based on its research so far, conducted in tandem with law enforcement officials as well as General Dynamics Corp and International Business Machines Corp, at least 11.6 million records, or about 24.4% of the total uncovered so far, were obtained illegally from valid accounts with no encryption of customer information.

The “computer intrusions” took place beginning in July 2005 and on subsequent dates that year as well as from mid-May 2006 until the mid-January of this year, but TJX doesn’t believe that customer data were compromised after Dec. 18, 2006, the date on which it discovered unauthorized software on its computers.

TJX reiterated its belief that no transactions involving Bob’s Stores were accessed, but indicated that customer data involving its TJ Maxx, Marshalls, HomeGoods and AJ Wright divisions in the US and Puerto Rico, from its Winners and HomeSense chains in Canada and from its TK Maxx operation in the UK and Ireland may be at risk.

Last week, six people in Florida were arrested and charged with using payment card information stolen from TJX to buy approximately $1 million of merchandise with gift cards.

In response to lawsuits brought against the company in the wake of the credit scam, and an investigation into it and what some deemed to be a delayed disclosure of the problem, TJX stated in its annual report, “We are vigorously defending the litigation and claims asserted against us with respect to the computer intrusion.”

An employee of TJX told MRketplace.com that no mention of the computer hacking incidents was made during a conference call with Carol Meyrowitz, chief executive officer, earlier in the week.