TJX Companies said 45.7 million accounts were compromised over nearly a two-year period, in an update Wednesday of an investigation into a data breach of customer records.
The scope of the breach, which was initially disclosed in January, is far wider than previously believed.
"This is the largest security breach we've ever had worldwide," said Avivah Litan, an analyst with research firm Gartner. "There was a case at CardSystems where 40 million records were exposed, but this one looks like it was a case where the information was stolen."
TJX, which operates such discount retail chains as T.J. Maxx and Marshalls in the U.S., released additional details of the breach in a filing with the Securities and Exchange Commission.
In its filing, TJX noted cyberthieves first accessed its computer systems in July 2005 and installed software to harvest such sensitive customer information as account information, names and addresses, drivers' license numbers and military and state identification. The breach continued through mid-January 2007.
Accounts and transactions affected included credit and debit card transactions, as well as checks and returned merchandise without receipts at the company's Marshalls, T.J. Maxx, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico. Credit card transactions at TJX's Winners and HomeSense stores in Canada, as well as credit and debit card transactions at its T.K. Maxx stores in Ireland and the U.K. were also compromised.
TJX rang up a pre-tax charge of $5 million in the fourth quarter to deal with the computer breach, which included the costs associated with investigating the issues, improving its security systems and notifying customers.
Those costs are likely to increase, given the multiple lawsuits customers have filed and investigations launched by a number of government agencies. According to the SEC filing, a multistate investigation is currently under way that encompasses 30 states, and the Federal Trade Commission is also reviewing whether TJX violated laws pertaining to consumer protection. In Canada, several privacy commissioner offices in various provinces are also reviewing the matter.
The security breach involving CardSystems, a third-party processor of payment data for banks and merchants, resulted in the exposure of credit card numbers for 40 million accounts--a figure comparable to the TJX case. Other notable cases include data broker ChoicePoint, which affected an estimated 145,000 Americans, and the University of California at Los Angeles, in which 800,000 people had their information compromised after a security breach.
In the case of TJX, Litan suspects it was a case where attackers gained access through a wireless regional hub for the company's store controllers that handle the point-of-sale system. From there, the attackers may have been able to work their way into TJX's central system, she noted.
"Most retailers aren't looking at their point-of-sale system," Litan said. "Most enterprises tend to forget about the devices hanging off of their networks. What happened here may not be all that uncommon."