TJX, the parent company of a discount retail chain that includes TJ Maxx and Marshalls stores says it learned of a security breach involving the theft of 45 million credit and debit card numbers last December. But documents filed by Florida investigators claim the company was aware that its computer system had been compromised nearly nine months earlier. Security experts say the timing is important because an earlier warning would have given customers more time to protect themselves in what is now believed to be the largest theft of consumer data in U.S. history. VOA's Mil Arcega reports.
The TJX Companies, which owns about 2,500 stores in the United States, says most of the stolen information was of no use to thieves. TJX says when the thefts were discovered – nearly three-quarters of the data had expired and some of the card numbers had been electronically masked.
But that was little comfort for some customers of the discount chain. "I don't feel secure shopping at T.J.Maxx with credit any more. Cash only, " says one shopper. Another says "It's not worth it. You save a little but the risk is way too high."
Officials say hackers broke into the company's computers at two sites: The TJX headquarters in Framingham, Massachusetts, and an office in Watford, England. For two years, the hackers downloaded personal information from millions of credit and debit cardholders. Former prosecutor Mark Rasch blames TJX.
"The bad guys got in and owned them,” he says. “They had their encrypted data, they had their credit card data. And it is hard to believe they could have done that if somebody hadn't messed up at TJX."
The thefts came to light after the arrest of several people at a Florida Walmart. Investigators don't believe the group committed the thefts, but they say that they may have used stolen card numbers to buy $1 million worth of gift certificates.
Mike Vitas is the former head of the Federal Bureau of Investigation's Cyber Unit. He says the crooks are getting better.
"And the good guys are not doing a good enough job to bolster their defenses quickly enough to deal with the increasing attacks that they're seeing," he says.
The investigation is now looking at when the company knew about the security breach. Recent documents filed by Florida police suggest the company was aware that unauthorized software had been placed in its systems as early as March 2006. TJX officials say that information is incorrect.