Credit card heist hits 45 million users

Details on 45 million credit and debit cards have been stolen from computers at TK Maxx

A security breach on the computer systems at TK Maxx is now thought to have led to the theft of 45.7 million credit and debit card records. 

The data theft took place over an 18-month period, beginning in July 2005.

"We have been able to specifically identify that a portion of the data believed stolen included account information for approximately 45.7 million separate payment cards," said an official statement from TJX, the American parent of TK Maxx. 

TJX said that 75 per cent of the cards were expired at the time of the theft, or the stolen information did not include the security code data from the magnetic strip on the payment card.

However, that still leaves 11.42 million stolen financial records that are currently active. TJX has warned UK customers to check their credit card statements.

"Today's full declaration by TJX is a graphic example of how a breach in information security can impact a business and its customers," said Greg Day, security analyst at McAfee. 

"The announcement is just the tip of the iceberg, however, as organisations across the globe continue to evaluate and look to implement security policy to protect against external and internal threat."

Jamie Cowper, data security expert at PGP Corporation, added: "This is a frightening illustration that when retailer's systems are hacked, even if it occurs on the other side of the world, the card details of customers in every country are at risk because of the way companies share and store information globally." 

Cowper explained that the upcoming Payment Card Industry Data Security Standard (PDF) in June 2007 would force retailers such as TJX to safeguard customer card information or face losing its credit card facilities altogether.

"Security technologies such as encryption can greatly simplify the process of protecting information," said Cowper.

"But the recent spate of data breaches suggests that many companies are still a long way off being compliant with this and other data protection standards."

Mike Smart, European product manager at Secure Computing, added: "We find that 80 per cent of confidential data is typically undetectable by 90 per cent of firewalls and as a result sensitive data can leak from the organisation without their knowledge. 

"With the rise of real-time unencrypted communications, such as instant messaging and web mail, hacking into a corporate network and extracting data unnoticed is easy."