TK Maxx data theft: UK shoppers at risk

Customers of discount clothing chain TK Maxx have today been warned that their credit cards could be used by criminals for fraudulent transactions, after the retailer confirmed that financial and personal data relating to UK shoppers has been stolen from the company as part of a wider data security breach.

The theft, already one of the world's largest incidents of corporate data theft, has so far seen US-based retailer TJX admit that 45.7 million credit and debit cards was stolen from the company in a computer data security breach over an 18-month period.

The firm also confirmed that as well as financial data, thieves were able to copy customer's personal information - including names, addresses driving licence and other identification data - belonging to approximately 451,000 people who had returned goods to stores without a receipt. This is in addition to 3,600 other cases the company had previously admitted to.

The company operates TK Maxx in Britain and Ireland, as well as TJ Maxx and Marshall's chains in North America.

In a message on its web site, the company said credit and debit card customers in the UK should check their statements for any unauthorised transactions and contact their card issuer as needed in the event of any unauthorised or odd transactions appearing.

The company gave the details of the data theft in a regulatory filing to the US Securities and Exchange Commission (SEC) yesterday, more than two months after first disclosing that its computer system had been compromised by hackers.

In its submission to the SEC, TJX tried to allay concerns by highlighting that as much as three quarters of the data stolen was either incomplete or out-of-date. However, out-of-data credit card information can still be used for fraud in countries where online point-of-sale credit card authorisation is not commonplace.

It said it did not believe PIN numbers were stolen, as they were not stored on its UK computer systems, which are located in Watford, but were held on an encrypted system in the US.

Industry experts have been quick to voice their concerns over how the breach could have happened, and continued for such a period of time.

"The visibility of this type of attack further strengthens the need for wider reaching preventive technology" said Mike Smart, European product manager for security technology specialist Secure Computing. "We find that 80 per cent of confidential data is typically undetectable by 90 per cent of firewalls used by most companies. As a result, sensitive data can leak from the organisation without their knowledge."

TJX said it believes its computer system were hacked in July 2005, then on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. The stolen data related mostly to sales and returns made between 2003 and 2004.

"This attack demonstrates that standard network security solutions are no longer sufficient to cope with the capabilities of today's hacker. All solutions employed need to be looking for application based protection and not network based. Those days are sadly, long gone." added Smart.

The company said it had contacted Scotland Yard and the UK Information Commissioner about the breach.

Sandra Quinn, of British payments system Apacs, said in a radio interview the theft was on a scale not heard of before but said much of the lost data would be out of date.

"I'd like to reassure customers that if they were doing transactions with TK Maxx between 2003 and 2004 they will generally now have a brand new debit or credit card in their wallet, so they can be sure that it will be the old details on the card that has been compromised, not their current card," she said.

With credit card issuers tightening their procedures and transferring responsibility for fraud to retailers and customers, the implications for security failures by retailers going forward is set tot be huge in terms of lost reputation and ability to trade.

"This is a frightening illustration that when retailer systems are hacked - even if it occurs on the other side of the world - the card details of customers in every country are at risk because of the way companies share and store information globally" said Jamie Cowper at data security expert PGP. "With standards such as the Payment Card Industry Data Security Standard (PCI DSS) coming into force in June 2007, retailers such as TJX will have to safeguard its customers' card information - or face losing their credit card facilities altogether."

(Additional reporting by Reuters)