<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16414" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><STRONG><FONT size=5>Data Theft Grows To Biggest
Ever<BR></FONT></STRONG>Fraudulent Purchases Pop Up in Breach Of 45.7 Million
Shoppers' Records<BR>
<P><FONT size=-1>By Ellen Nakashima and Ylan Q. Mui<BR>Washington Post Staff
Writers<BR>Friday, March 30, 2007; D01<BR></FONT></P>
<P></P>
<P>At least 45.7 million credit and debit card numbers from customers in the
United States, Britain and Canada were stolen over a period of several years
from the computers of TJX, the discount retail giant disclosed in a regulatory
filing this week.</P>
<P>The figure, which the company said is incomplete, represents the largest
reported computer theft of personal data in history.</P>
<P>TJX, whose 2,500 stores include clothing chains T.J. Maxx and Marshalls,
reported the breach in January but disclosed its massive scale for the first
time in a filing made to the Securities and Exchange Commission after business
hours Wednesday.</P>
<P>The computer breach is significant not only because of its scope but also
because the hacker or hackers had access to the decryption tool used to decipher
sensitive encrypted information and an ability to intercept data as shoppers'
credit transactions were being approved.</P>
<P>Thieves have been using the data to make fraudulent purchases in Florida and
as far away as Sweden and Hong Kong, according to police and bank officials.</P>
<P>Also taken were personal ID numbers, related names and addresses, and
drivers' license, military and state ID numbers from 455,000 shoppers who made
merchandise returns in the United States and Puerto Rico.</P>
<P>The Framingham, Mass., firm acknowledged in the filing that it "may never be
able to identify much of the information believed stolen."</P>
<P>Legislation pending in Massachusetts would make retailers responsible for the
financial cost of data breaches, currently covered by banks that issue the
credit cards. Rep. Barney Frank (D-Mass.) is considering introducing a similar
bill in Congress.</P>
<P>The breach is a wake-up call, analysts said, to retailers, consumers and
regulators about the increased sophistication of hackers and the need to improve
data security. "In the old days, a fraudulent store employee could steal 30 or
40 credit cards a weekend," said Mark Rasch, technology director with <A
href="http://financial.washingtonpost.com/custom/wpost/html-qcn.asp?dispnav=business&mwpage=qcn&symb=FCN&nav=el"
target="">FTI Consulting</A>, which helps firms prevent data breaches. "Now
we're at the point where a motivated hacker can steal 30 or 40 thousand cards in
a weekend. And a team of motivated hackers can steal 30 or 40 million."</P>
<P>Avivah Litan, a security analyst with Gartner, said investigators told her
they thought hackers gained access through a wireless network that managed the
cash registers and terminals. Once in, they were able to find their way to
systems in Britain, Puerto Rico and Canada.</P>
<P>"The lesson is that one little hole in your network through a wireless
network can lead you to the entire corporate treasure," Litan said.</P>
<P>This month, Florida police arrested six people suspected of using stolen TJX
credit card data to purchase $8 million in gift cards and electronic goods, said
Keith Kameg, an officer in Gainesville. The arrests are among the first
indications that the stolen information is being used to buy goods fraudulently,
and Kameg and others said they expect many more cases to turn up.</P>
<P>Banks, too, have reported fraudulent transactions linked to the stolen TJX
data, said Bruce Spitzer, a spokesman for the Massachusetts Bankers Association,
which expects all 209 of its bank members to have to cover costs of fraud
associated with the breach. Banks are "very angry" at TJX for not investing in
security, Spitzer said.</P>
<P>Since January, when TJX disclosed the breach, it has been the target of
class-action lawsuits by shoppers in Massachusetts Alabama, California, Canada
and Puerto Rico. "They're obviously not happy," attorney Jon J. Lambiras said of
his clients in Massachusetts. "They're very concerned that they're at risk for
identify theft."</P>
<P>Robert Mann of Massachusetts used his debit card to shop at several TJX
stores in December, according to a written complaint. A month later, after a
failed attempt to use his debit card, he checked his account online and realized
110 fraudulent transactions had been made or attempted on his card from Jan.
24-27, including charges in foreign countries. Mann said he had to take two
unpaid days off work to investigate.</P>
<P>Sandra Fuller of Amarillo, Tex., was alerted by her local bank that her debit
card had possibly been misused. Two charges were made in California in February
while Fuller was in Texas: $407.42 at a Wal-Mart and $13.50 at Exxon, according
to the complaint.</P>
<P>Other plaintiffs are worried their Social Security numbers were compromised
because they were the same as their drivers' license numbers, which were stolen.
Some had tied automatic bill payments to their bank accounts and were penalized
when companies were unable to withdraw money, according to the complaint.</P>
<P>TJX is cooperating with a federal criminal investigation. State and federal
authorities are also looking into whether TJX violated consumer-protection
laws.</P>
<P>TJX spokeswoman Sherry Lang suggested that TJX was simply the most visible
example of a widespread trend. "Breaches go on all the time that never get
detected and never get reported," she said. "I think we have been victimized
here along with our customers."</P>
<P>According to the filing, TJX discovered suspicious software on its computers
Dec. 18 and began an investigation. Three days later, the company concluded that
a breach had probably occurred and that the intruder was still on the system.
The next day, it notified federal investigators. On Dec. 27, the firm learned
that customer data had been stolen, and it notified banks and check-processing
companies. On Jan. 17, TJX announced the intrusion but did not say how much data
was taken.</P>
<P>Based on the firm's investigation, the intrusion occurred in July 2005, on
subsequent dates in 2005 and from mid-May 2006 to mid-January 2007. No customer
data was stolen after Dec. 18, 2006.</P>
<P>Three-quarters of the cards were expired or contained magnetic strip data
that was masked or stored as asterisks rather than numbers at the time the
information was stolen. The firm stored data, some of which dated to 2003
transactions. Expired cards can still be at risk because they are often renewed
with the same numbers, and the TJX filing said the hackers' technology could
have penetrated masked data.</P>
<P>The thieves stole data from the firm's computer systems in Framingham, where
transactions are processed for customers in the United States, Puerto Rico and
Canada. They also took data from systems in Watford, England.</P>
<P>The firm's share price closed up 1.3 percent yesterday, at $26.85.</P>
<P>Security and privacy experts said TJX is the most glaring example of a
spreading trend in industry and government. <STRONG><FONT color=#ff0000>A
soon-to-be-released study by the Ponemon Institute, a privacy research
organization, of 649 companies and government agency information security
personnel found that 61 percent thought their organizations were ill-equipped to
respond to hacker threats</FONT></STRONG>, said Larry Ponemon, institute
chairman.</P>
<P><I>Staff researcher Richard Drezen contributed to this
report.</I></P></DIV></BODY></HTML>