KEY POINTS:
Shoppers at the global discount chain TK Maxx have unwittingly been caught up in the biggest credit card security breach yet, where hackers stole details of the accounts of at least 45.7 million customers.
The chain's US parent company, TJX, has admitted that sophisticated fraudsters were able to access its computer systems almost at will, and that it may never know the full extent of the information that has been stolen.
Customers shopping at its stores in the US, Canada, Puerto Rico, Britain and Ireland were all targeted, and the hackers were able to see unencrypted credit card data as payments were processed between store tills and the banking network.
In hundreds of thousands of cases in the North American stores, the thieves were also able to get access to customers' addresses and other personal information that could allow them to commit identity theft.
Fraudsters using the stolen credit card details allegedly went on a US$8 million ($11.2 million) spending spree in Florida, according to the state's law enforcement department, which arrested six people this month and issued warrants for four others.
TJX first admitted a security breach in January this year, but it has only now come clean on the full extent of the attack. An update in its annual report revealed that it now believes its computer systems were first accessed by an unauthorised intruder in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007.
It said some 45.6 million credit card numbers were stolen in 2005, and it has identified at least a further 132,000 taken in 2006, although that figure may be a vast underestimate. The hackers were using increasingly sophisticated technology to cover their tracks, the retailer said.
Even on the figures disclosed so far, the data theft is the largest ever. It eclipses the 40 million records compromised in a 2005 security breach at CardSystems Solutions, a credit and debit card payment processing business.
TJX has more than 2000 stores across the world. Computer systems in Framingham, Massachusetts, and in Watford in England were targeted by hackers, who appear to have been so successful that they were able to transfer data between the two sites.
The suspects arrested in Florida were travelling through the state buying large quantities of Wal-Mart gift cards with the stolen credit card accounts, and then using the gift cards at other stores to buy expensive electrical goods.
TJX said its internal investigation had already cost it $5 million, but it had also attracted lawsuits from customers and may have to compensate credit card companies.
- INDEPENDENT
