TK Maxx data theft: UK shoppers at risk

gallery

Customers of discount clothing chain TK Maxx have today been warned that their credit cards could be used by criminals for fraudulent transactions, after the retailer confirmed that financial and personal data relating to UK shoppers has been stolen from the company as part of a wider data security breach.

The theft, already one of the world's largest incidents of corporate data theft, has so far seen US-based retailer TJX admit that 45.7 million credit and debit cards was stolen from the company in a computer data security breach over an 18-month period.

The firm also confirmed that as well as financial data, thieves were able to copy customer's personal information - including names, addresses driving licence and other identification data - belonging to approximately 451,000 people who had returned goods to stores without a receipt. This is in addition to 3,600 other cases the company had previously admitted to.

The company operates TK Maxx in Britain and Ireland, as well as TJ Maxx and Marshall's chains in North America.

In a message on its web site, the company said credit and debit card customers in the UK should check their statements for any unauthorised transactions and contact their card issuer as needed in the event of any unauthorised or odd transactions appearing.

The company gave the details of the data theft in a regulatory filing to the US Securities and Exchange Commission (SEC) yesterday, more than two months after first disclosing that its computer system had been compromised by hackers.

In its submission to the SEC, TJX tried to allay concerns by highlighting that as much as three quarters of the data stolen was either incomplete or out-of-date. However, out-of-data credit card information can still be used for fraud in countries where online point-of-sale credit card authorisation is not commonplace.

It said it did not believe PIN numbers were stolen, as they were not stored on its UK computer systems, which are located in Watford, but were held on an encrypted system in the US.

Industry experts have been quick to voice their concerns over how the breach could have happened, and continued for such a period of time.

"The visibility of this type of attack further strengthens the need for wider reaching preventive technology" said Mike Smart, European product manager for security technology specialist Secure Computing. "We find that 80 per cent of confidential data is typically undetectable by 90 per cent of firewalls used by most companies. As a result, sensitive data can leak from the organisation without their knowledge."

TJX said it believes its computer system were hacked in July 2005, then on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. The stolen data related mostly to sales and returns made between 2003 and 2004.

"This attack demonstrates that standard network security solutions are no longer sufficient to cope with the capabilities of today's hacker. All solutions employed need to be looking for application based protection and not network based. Those days are sadly, long gone." added Smart.

Email to a friend

Print this page