Install

Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

Data Theft Grows to Biggest Ever

WASHINGTON -- At least 45.7 million credit and debit card numbers from customers in the United States, Britain and Canada were stolen over a period of several years from the computers of TJX, the discount retail giant disclosed in a regulatory filing last week.

The figure, which the company said was incomplete, represents the largest reported computer theft of personal data in history.

TJX, whose 2,500 stores include clothing chains TJ Maxx and Marshalls, reported the breach in January but disclosed its enormous scale for the first time in a filing made to the Securities and Exchange Commission after business hours Wednesday.

The computer breach is significant not only because of its scope but also because the hacker or hackers had access to the decryption tool used to decipher sensitive encrypted information and an ability to intercept data as shoppers' credit transactions were being approved.

Thieves have been using the data to make fraudulent purchases in Florida and as far away as Sweden and Hong Kong, police and bank officials said.

Also taken were personal ID numbers, related names and addresses, and drivers' license, military and state ID numbers from 455,000 shoppers who made merchandise returns in the United States and Puerto Rico. The firm acknowledged in the filing that it "may never be able to identify much of the information" was stolen.

The breach is a wake-up call, analysts said, to retailers, consumers and regulators about the increased sophistication of hackers and the need to improve data security. "In the old days, a fraudulent store employee could steal 30 or 40 credit cards a weekend," said Mark Rasch, technology director with FTI Consulting, which helps firms prevent data breaches. "Now we're at the point where a motivated hacker can steal 30 or 40,000 cards in a weekend. And a team of motivated hackers can steal 30 or 40 million."

Avivah Litan, a security analyst with Gartner, said investigators told her they thought hackers gained access through a wireless network that managed the cash registers and terminals. Once in, they were able to find their way to systems in Britain, Puerto Rico and Canada.

"The lesson is that one little hole in your network through a wireless network can lead you to the entire corporate treasure," Litan said.

Earier in March, Florida police arrested six people suspected of using stolen TJX credit card data to purchase $8 million in gift cards and electronic goods, said Keith Kameg, an officer in Gainesville. The arrests are among the first indications that the stolen information is being used to buy goods fraudulently, and Kameg and others said they expected many more cases to turn up.