The parent company of discount clothing chain TK Maxx has confirmed that a security breach of the computer systems it uses to hold customer credit and debit card details extends to its Irish operations.
In a statement, the TJX Companies said that an internal investigation had confirmed what it suspected when it made its initial announcement about the incident last month. The card details were gathered in TJX shops rather than through online transactions.
"While TJX continues to suspect that customer information may have been compromised from this portion of its network, the company has not been able to confirm any unauthorised access to customer data or any theft of customer data from TK Maxx," the statement said.
In mid-January TJX announced that its systems had been compromised, but an internal investigation, which has been assisted by IBM and security specialists General Dynamics, has revealed that the hackers accessed more of the systems and over a longer period than first thought.
The company now says that its computers were first accessed in July 2005 and at various dates later that year. The systems were again hacked between May 2006 and January 2007.
TJX operates almost 200 TK Maxx stores in Ireland and Britain. It also trades in the US, Canada and Puerto Rico under a number of brands including TJ Maxx, Marshalls, HomeGoods, AJ Wright, Bob's Stores, Winners and HomeSense.
Earlier this week the company announced its annual results for the year to the end of January last, which showed it had net sales of $17.4 billion (€13.2 billion), with TK Maxx contributing $1.9 billion.
The company booked a charge of approximately $5 million in the fourth quarter related to the security breach. It said this included costs "incurred to investigate and contain the intrusion, enhance computer security and systems, and communicate with customers, as well as technical, legal, and other fees".
"This was a fundamental failure by [ the company] because they were gathering information they shouldn't be and storing it in an insecure manner," said Conor Flynn, a director of RITS Information Security. "If they had implemented the payment card industry (PCI) standards, this wouldn't have happened."
A number of suits have been filed against TJX in the US courts relating to the incident and several plaintiffs are seeking class-action status. In one case, a Massachusetts resident discovered that 110 fraudulent transactions, amounting to several thousand dollars, were charged to his debit card in late January.
What to do: advice for TK Maxx customers
TK Maxx has established a helpline for Irish customers who may be concerned that they used their credit or debit card in one of its stores during the periods in question.
The helpline number is 0044-800-779015.
Security consultant Brian Honan of BH Consulting advised Irish shoppers not to panic but to contact TK Maxx and to keep a close eye on their card statements for any suspicious activity.
If there are any unrecognised transactions on their statement, they should contact the financial institution that issued the card immediately.
Mr Honan also advised those who feel they might be at risk to get a credit check from a consumer credit bureau such as Experian.
"If you see a financial institution has been checking you for a loan that you have not applied for, it might suggest someone is trying to carry out identity fraud," Mr Honan said.
Conor Flynn, a director of RITS Information Security, said it was possible the customers' card details may not be used fraudulently for some time so consumers should remain vigilant.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VR3765MFOBH2NMV2QNICYDF67M.png)