TK Maxx data theft: UK shoppers at risk

US-based retailer TJX reveals that UK shoppers at its UK stores have had their personal and financial data stolen, which could be used for fraudulent transactions.

Customers of discount clothing chain TK Maxx have today been warned that their credit cards could be used by criminals for fraudulent transactions, after the retailer confirmed that financial and personal data relating to UK shoppers has been stolen from the company as part of a wider data security breach.

The theft, already one of the world's largest incidents of corporate data theft, has so far seen US-based retailer TJX admit that 45.7 million credit and debit cards was stolen from the company in a computer data security breach over an 18-month period.

The firm also confirmed that as well as financial data, thieves were able to copy customer's personal information - including names, addresses driving licence and other identification data - belonging to approximately 451,000 people who had returned goods to stores without a receipt. This is in addition to 3,600 other cases the company had previously admitted to.

The company operates TK Maxx in Britain and Ireland, as well as TJ Maxx and Marshall's chains in North America.

In a message on its web site, the company said credit and debit card customers in the UK should check their statements for any unauthorised transactions and contact their card issuer as needed in the event of any unauthorised or odd transactions appearing.

The company gave the details of the data theft in a regulatory filing to the US Securities and Exchange Commission (SEC) yesterday, more than two months after first disclosing that its computer system had been compromised by hackers.

In its submission to the SEC, TJX tried to allay concerns by highlighting that as much as three quarters of the data stolen was either incomplete or out-of-date. However, out-of-data credit card information can still be used for fraud in countries where online point-of-sale credit card authorisation is not commonplace.

It said it did not believe PIN numbers were stolen, as they were not stored on its UK computer systems, which are located in Watford, but were held on an encrypted system in the US.

Industry experts have been quick to voice their concerns over how the breach could have happened, and continued for such a period of time.

"The visibility of this type of attack further strengthens the need for wider reaching preventive technology" said Mike Smart, European product manager for security technology specialist Secure Computing. "We find that 80 per cent of confidential data is typically undetectable by 90 per cent of firewalls used by most companies. As a result, sensitive data can leak from the organisation without their knowledge."

TJX said it believes its computer system were hacked in July 2005, then on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. The stolen data related mostly to sales and returns made between 2003 and 2004.

"This attack demonstrates that standard network security solutions are no longer sufficient to cope with the capabilities of today's hacker. All solutions employed need to be looking for application based protection and not network based. Those days are sadly, long gone." added Smart.

The company said it had contacted Scotland Yard and the UK Information Commissioner about the breach.

Sandra Quinn, of British payments system Apacs, said in a radio interview the theft was on a scale not heard of before but said much of the lost data would be out of date.

"I'd like to reassure customers that if they were doing transactions with TK Maxx between 2003 and 2004 they will generally now have a brand new debit or credit card in their wallet, so they can be sure that it will be the old details on the card that has been compromised, not their current card," she said.

With credit card issuers tightening their procedures and transferring responsibility for fraud to retailers and customers, the implications for security failures by retailers going forward is set tot be huge in terms of lost reputation and ability to trade.

"This is a frightening illustration that when retailer systems are hacked - even if it occurs on the other side of the world - the card details of customers in every country are at risk because of the way companies share and store information globally" said Jamie Cowper at data security expert PGP. "With standards such as the Payment Card Industry Data Security Standard (PCI DSS) coming into force in June 2007, retailers such as TJX will have to safeguard its customers' card information - or face losing their credit card facilities altogether."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

(Additional reporting by Reuters)

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
Why it’s time to expand beyond 16:9 monitors
Advertisement Feature

Why it’s time to expand beyond 16:9 monitors

21 Jul 2020