The TJX Companies, Inc. reported its updated findings from the company's ongoing investigation of its previously announced unauthorized intrusion into its computer systems.
Carol Meyrowitz, president and CEO of The TJX Companies, commented, “Let me begin by telling our customers personally how much I regret any problems or inconvenience they may have experienced as a result of the unauthorized intrusion into our computer system. Our investigation is ongoing, and we are providing an update today on new developments. We are dedicating substantial resources to investigating and evaluating the intrusion which, given the nature of the breach, the size and international scope of our operations, and the complexity of the way credit card transactions are processed, is, by necessity, taking time. We have a very large team of people working on the investigation. For example, the leading computer security experts working with us have over 50 experts committed to this project. Additionally, with their help, we have strengthened the security of our computer systems. Based on everything we have done, I believe customers should feel safe shopping in our stores. We value our customers' trust and I want our customers to know that I am deeply committed to continuing to address the security of our computer systems, and that TJX will provide periodic updates as we learn more.”
The following are new findings based on TJX's current information from its ongoing investigation of the previously announced unauthorized intrusion into its computer system:
While the company previously believed that the intrusion took place only from May 2006 to January 2007, TJX now believes its computer system was also intruded upon in July 2005 and on various subsequent dates in 2005. TJX continues to believe there was no compromise of customer data after mid-December 2006.
Credit and Debit Card Data
In addition to the customer data the company previously reported as compromised, the company now believes that information regarding portions of the credit and debit card transactions at its U.S., Puerto Rican and Canadian stores (excluding debit card transactions with cards issued by Canadian banks) from January 2003 through June 2004 was compromised. The company had previously reported that the 2003 transaction data had potentially been accessed. For most of the transactions from September 2003 through June 2004, some of the card information was masked at the time of the transaction, making that portion unavailable to the intruder.
Names and addresses were not included with the credit and debit card data believed compromised. Debit card personal identification numbers (PINs), information from transactions at Bob's Stores, and transactions made with debit cards issued by Canadian banks are not believed to have been compromised.
Drivers' License Numbers
TJX has found additional drivers' license numbers together with related names and addresses that it believes were compromised. This information was associated with unreceipted merchandise returns at its T.J. Maxx, Marshalls, and HomeGoods stores in the U.S. and Puerto Rico for the last four months of 2003 and May and June 2004. TJX intends to notify customers it is able to identify whose drivers' license numbers, names and addresses were included in the information believed to have been compromised.
The company had previously reported that it was concerned that T.K. Maxx customer transactions in the UK and Ireland could be involved. TJX's investigation has found evidence of an intrusion to the portion of its computer system that processes T.K. Maxx customer transactions. While TJX continues to suspect that customer information may have been compromised from this portion of its network, the company has not been able to confirm any unauthorized access to customer data or any theft of customer data from T.K. Maxx.