Information from at least 45.7 million credit and debit cards was stolen by hackers who accessed TJX’s customer information in a security breach that the discount retailer disclosed more than two months ago.
TJX Cos., the owner of about 2,500 stores, said in a regulatory filing late Wednesday that about three-quarters of those cards had either expired at the time of the theft, or data from their magnetic strips had been masked — stored as asterisks rather than numbers.
But TJX acknowledged it still knows little about the full scope of the breach, in part because the hacker or hackers accessed TJX’s encryption software and could have known how to unscramble the information.
In addition, TJX deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected.
“There is a lot of information we don’t know, and may never be able to know, which is why this investigation has been so laborious,” TJX spokeswoman Sherry Lang said on Thursday.
The company provided an update of its investigation in a regulatory filing made after business hours Wednesday.
TJX says its computer systems were first breached in July 2005 by a hacker or hackers who accessed information from customer transactions dating to January 2003. TJX says it didn’t find out about the breach until about three months ago.
Information from 45.7 million cards was stolen from transactions beginning in January 2003 and ending Nov. 23 of that year, TJX said in the filing with the Securities and Exchange Commission. TJX did not give estimates of the number of cards from which information was stolen for transactions occurring from Nov. 24, 2003 to June 28, 2004.
TJX said in the filing that “substantially all stolen data” from the latter period “were deleted in the ordinary course of business subsequent to the believed theft but prior to discovery of computer intrusion.”
Lang said TJX was investigating why information stolen during the initial nine-month period in 2003 wasn’t being routinely deleted.
The filing also says, “We believe that the intruder had access to the decryption tool for the encryption software utilized by TJX.”
The filing also said another 455,000 customers who returned merchandise without receipts had their personal data stolen, including driver’s license numbers.
The filing gives the first detailed account of the breach initially disclosed in January by Framingham-based TJX, the owner of T.J. Maxx, Marshall’s and other stores in North America and the United Kingdom.
The filing says the company “does not know who took this action, and whether there were one or more intruders involved.” Also unknown is whether there was a single continuing breach, or multiple, separate intrusions.
Police charged six people in Florida last week with using credit card numbers that investigators believe were stolen from a TJX database to buy about $1 million in merchandise with gift cards.
The gift cards had been purchased from Wal-Mart stores, and were used to acquire electronics and jewelry at Wal-Mart’s Sam’s Club warehouse stores.
TJX’s Lang said Thursday that the company could not yet confirm whether the data used in those thefts originated at TJX.
Gainesville, Fla. police have said they believe the Florida suspects bought the card numbers from someone else, and weren’t the TJX hackers.
In Wednesday’s filing, TJX said for the first time that Dec. 18, 2006, was the date it first learned that there was suspicious software on its computer system.
TJX said it believes hackers invaded its systems in July 2005, on later dates in 2005 and also from mid-May 2006 to mid-January 2007. The company said no customer information was stolen after Dec. 18, one day before it hired General Dynamics Corp. and IBM Corp. to investigate. By Dec. 21, those investigators determined that the computer systems had been breached and that an intruder remained on the systems.
TJX said it notified federal authorities Dec. 22, and on Jan. 3, TJX officials and Secret Service agents met with banks and payment card and check processing companies to discuss the computer intrusion.
The company issued a news release Jan. 17 disclosing the breach but did not say how much data was stolen.
TJX is facing an investigation by the Federal Trade Commission and lawsuits from individuals and banks accusing it of failing to do enough to safeguard private data and of delaying disclosure of the problem.
The company said in Wednesday’s filing that its forensic investigation of the intrusion is ongoing and it is continuing to work to strengthen and protect its computer systems.