UK customers caught up in TK Maxx data theft

Victims of the TK Maxx data breach that first came to light in January 2007 could include British consumers.

These customers have just learned that their personal credit and debit card details could be amongst the transaction details from more than 45 million cards which have been stolen in what is being called the largest data heist in history.

According to parent company TJX this information covered transactions between December 2002 and June 2004. The data was stored on computer systems in the US and UK that process and store the company's credit card transactions and worryingly could have been unencrypted, and thus unprotected.

TJX said about 75 per cent of the debit and credit cards were either expired or the security data stored on the magnetic strip was not stolen.

However, six people using some of the stolen credit card details were arrested last week after allegedly going on an £4.1 ($8m) spending spree in Florida, according to the state's law enforcement department; arrest warrants have been issued for four more people.

McAfee security analyst Greg Day said today's announcement was "just the tip of the iceberg, as organisations across the globe continue to evaluate and look to implement security policy to protect against external and internal threat".

Jamie Cowper, at data security expert PGP Corporation said it was frightening how easy it was for cyber criminals to steal personal details. He said that in the TJX case the information the thieves had access to, which included names, addresses, card details, could not only be used for fraudulent transactions but in identity theft as well.

Cowper said this incident showed the pressing need for retailers and other organisations to encrypt customer information and ensure they meet the Payment Card Industry Data Security Standard (PCI DSS) when it comes into force this June.

"This is a frightening illustration that when retailer systems are hacked - even if it occurs on the other side of the world - the card details of customers in every country are at risk because of the way companies share and store information globally," said Cowper.

"The PCI means they will have to safeguard its customers' card information - or face losing their credit card facilities altogether."

He also told Computeractive that this incident showed how it was necessary for organisations to inform customers if there has been a data breach so they can help to minimise any potential fraud against themselves.

"TJX had to tell people because of the US data breach laws [known as the Ten K laws]. But there is no such law in the UK although the European Union is looking at changing this under the Regulation of Investigatory Powers Act 2000 (RIPA)," he said.

A message from the group's chief executive, Carol Meyrowitz has been posted on TK Maxx's website. Customers have been given a personal apology and there is a free phone number for anybody who believes they may have been affected: 0800 779015.