TK Maxx owner criticised after security breach

Visa has claimed that TJX, parent company of UK retailer TK Maxx, was violating data-storage rules when a hacker broke in and stole customer details
Written by Richard Thurston, Contributor

The parent company of TK Maxx, the high-street retailer, was breaking financial standards when its customers' credit card details were stolen just before Christmas, it has been claimed.

According to a Visa email alert sent to financial institutions, parent company TJX was storing credit card information in violation of the Payment Card Industry Data Security Standard, a framework aimed at preventing credit card fraud, which is backed by both Visa and Mastercard.

TJX should not have stored credit card information longer than necessary, yet card information dating from 2003 was stolen, according to experts interviewed for a report by Information Week. "I can see storing data for a few hours or a day until transactions clear, but some of the stolen data goes back to 2003. That's a long time to be out of compliance," said an executive from a California credit union that issues Visa cards to its members, speaking to Information Week.

TK Maxx had not responded to requests for comment at the time of writing.

TJX admitted two weeks ago that customers' credit card details had been stolen after its network security was breached by a hacker, and that it did not know the full extent of the problem. Although the security breach took place in the US, UK customers may have been affected. Millions of card accounts are thought to have been affected, and some account details have since been used fraudulently. Some 23 percent of these fraudulent transactions took place outside the US.

TK Maxx customers who spot unexpected transactions on their bank statements have been urged to contact both the company and their bank. TJX claims it has since shored up its network security.

Editorial standards