TJX Cos. confirmed that credit- and debit-card information for at least 45.7 million of its customers was stolen in 2003.
In a regulatory filing with the SEC, the off-pricer said about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been masked — stored as asterisks rather than numbers. Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing. TJX did not give estimates of the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003 to June 28, 2004.
TJX said in the filing that “substantially all stolen data” from the latter period “were deleted in the ordinary course of business subsequent to the believed theft, but prior to discovery of computer intrusion.”
The filing also says, “We believe that the intruder had access to the decryption tool for the encryption software utilized by TJX.”