TJX Remains In Data Breach Hell

By Deborah Gage  |  Posted Monday, April 02, 2007 19:04 PM

Check TJX's annual report, filed on March 28, for the retailer's latest account of its data breach, now known as "the biggest data breach ever."

What TJX says it knows: - Some of what was stolen--at least 45 million credit and debit cards, plus names, addresses and personal ID numbers of 451,000 people who returned merchandise without receipts, among other things - Which TJX systems were involved - That the intruder(s) were able to decrypt TJX's encryption software and also monitor unencrypted transactions flowing between TJX and payment card issuers

What TJX says it doesn't know:

- The identity of the thieves - How many thieves were involved - How many times they broke into TJX's system - The ultimate cost to TJX. It took a pre-tax charge in the fourth quarter of $5 million, or one cent per share. One security vendor, Protegrity, estimates the cost to TJX at $1.6 billion.

What TJX says it may never know:

- Exactly which data were stolen--partly because it deleted files in the ordinary course of business that were already stolen, and partly because of "the technology used by the Intruder in the Computer Intrusion."

Meanwhile, TJX has been sued by customers in Canada, Puerto Rico and three U.S. states plus financial institutions. And it is under investigation by a coalition of 30 state Attorneys General, the Federal Trade Commission, and several agencies in Canada.