TK Maxx data theft: UK shoppers at risk

US-based retailer TJX reveals that UK shoppers at its UK stores have had their personal and financial data stolen, which could be used for fraudulent transactions.

Customers of discount clothing chain TK Maxx have today been warned that their credit cards could be used by criminals for fraudulent transactions, after the retailer confirmed that financial and personal data relating to UK shoppers has been stolen from the company as part of a wider data security breach.

The theft, already one of the world's largest incidents of corporate data theft, has so far seen US-based retailer TJX admit that 45.7 million credit and debit cards was stolen from the company in a computer data security breach over an 18-month period.

The firm also confirmed that as well as financial data, thieves were able to copy customer's personal information - including names, addresses driving licence and other identification data - belonging to approximately 451,000 people who had returned goods to stores without a receipt. This is in addition to 3,600 other cases the company had previously admitted to.

The company operates TK Maxx in Britain and Ireland, as well as TJ Maxx and Marshall's chains in North America.

In a message on its web site, the company said credit and debit card customers in the UK should check their statements for any unauthorised transactions and contact their card issuer as needed in the event of any unauthorised or odd transactions appearing.

The company gave the details of the data theft in a regulatory filing to the US Securities and Exchange Commission (SEC) yesterday, more than two months after first disclosing that its computer system had been compromised by hackers.

In its submission to the SEC, TJX tried to allay concerns by highlighting that as much as three quarters of the data stolen was either incomplete or out-of-date. However, out-of-data credit card information can still be used for fraud in countries where online point-of-sale credit card authorisation is not commonplace.

It said it did not believe PIN numbers were stolen, as they were not stored on its UK computer systems, which are located in Watford, but were held on an encrypted system in the US.

Industry experts have been quick to voice their concerns over how the breach could have happened, and continued for such a period of time.

"The visibility of this type of attack further strengthens the need for wider reaching preventive technology" said Mike Smart, European product manager for security technology specialist Secure Computing. "We find that 80 per cent of confidential data is typically undetectable by 90 per cent of firewalls used by most companies. As a result, sensitive data can leak from the organisation without their knowledge."

TJX said it believes its computer system were hacked in July 2005, then on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. The stolen data related mostly to sales and returns made between 2003 and 2004.

"This attack demonstrates that standard network security solutions are no longer sufficient to cope with the capabilities of today's hacker. All solutions employed need to be looking for application based protection and not network based. Those days are sadly, long gone." added Smart.

The company said it had contacted Scotland Yard and the UK Information Commissioner about the breach.

Sandra Quinn, of British payments system Apacs, said in a radio interview the theft was on a scale not heard of before but said much of the lost data would be out of date.

"I'd like to reassure customers that if they were doing transactions with TK Maxx between 2003 and 2004 they will generally now have a brand new debit or credit card in their wallet, so they can be sure that it will be the old details on the card that has been compromised, not their current card," she said.

With credit card issuers tightening their procedures and transferring responsibility for fraud to retailers and customers, the implications for security failures by retailers going forward is set tot be huge in terms of lost reputation and ability to trade.

"This is a frightening illustration that when retailer systems are hacked - even if it occurs on the other side of the world - the card details of customers in every country are at risk because of the way companies share and store information globally" said Jamie Cowper at data security expert PGP. "With standards such as the Payment Card Industry Data Security Standard (PCI DSS) coming into force in June 2007, retailers such as TJX will have to safeguard its customers' card information - or face losing their credit card facilities altogether."

Advertisement - Article continues below
Advertisement - Article continues below

(Additional reporting by Reuters)

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now


data breaches

Printing company exposes 343GB of sensitive military data

20 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
high-performance computing (HPC)

IBM dedicates supercomputing power to coronavirus research

24 Mar 2020