By Steve Ranger, 30 March 2007 14:47
NEWS
Shoppers who have used their credit and debit cards in high street retailer TK Maxx are being urged to review their statements after it was revealed hackers may have stolen details of 45 million payment cards from the retailer's US parent company.
TJX - which operates the TK Maxx chain in the UK - revealed it has suffered "an unauthorised intrusion or intrusions" into the systems that process and store information related to customer transactions.
It said the intrusion affected the portion of TJX's computer system that handles most of credit card, debit card, cheque and merchandise return transactions for most of its stores in Canada, Puerto Rico and the US, along with a portion of its computer system in the UK that handles credit and debit card transactions for stores in the UK and Ireland.
It said the systems were first accessed by intruders in July 2005, and then on subsequent dates in 2005, and from mid-May 2006 to mid-January 2007. But the company said no customer data was stolen after 18 December 2006.
The company said in warning on its website: "We do not know who the intruder was, whether there was one or more intruders, or whether there was one or separate intrusions," the company said but warned that credit and debit card transactions at TK Maxx stores in the UK and Ireland could have been affected.
It added: "If any unauthorised or suspicious card use is detected, please contact the credit card issuer or bank immediately."
The company said it does not know whether any fraudulent use of the data has occurred.
It has strengthened the security of its computer systems and TJX president and CEO, Carol Meyrowitz, said: "We believe customers should feel safe shopping in our stores."
TJX said it learned of "suspicious software" on its computer systems on 18 December last year and, following an investigation, notified law enforcement on 22 December. It wasn't until 27 December that the company "learned that any customer data apparently had been stolen", it said.
It added in a statement: "The credit and debit card information that we believe was stolen does not include customer names and addresses, only numerical card information."
Comments
There are 2 comments. Join the discussion
1. anonymous
There is a global security standard mandated by Mastercard, VISA and the other providers, requiring (among other things) the encryption of transmitted and stored card information and the subsequent audit of compliance with the standard. This incident indicates that this standard is at best patchy in its implementation.
2. anonymous
Once they've been paid by the bank, surely they don't need the card data, so why keep it ?