January 8, 2008 - Joe Whatley, an attorney representing credit card companies suing TJX over its massive data breach in 2006, didn't mince his words. In open court he told U.S. District Court Judge William Young that the company knew about the data breach in early October of 2006; more than two months before the company began to notify credit card companies of the problem. If true, it will mean that TJX violated numerous state laws by trying to keep the breach quiet.

The TJX data breach is the largest single data breach know from any company or any government organization. As many as 93 million credit cards in 13 countries had their data exposed to identity thieves through a Trojan Horse - a malicious software program - that was operating on TJX's servers. TJX owns and operates a number of discount department stores including TJ Maxx and Marshals.

Whatley told the judge that, "TJX first became aware of this breach as early as October the 3rd of 2006 when it learned of problems with Discover Cards. It took them over two weeks, roughly the same time it took us to file our amended complaint, for them to even contact a consultant to investigate the matter. And it took them another two weeks after that to retain the consultant and work out a nondisclosure agreement. And, of course, there were problems. TJX then allowed them to have access to it for a period of time and then terminated them when they found there was a problem," referring to the data breach.

TJX then apparently turned around and hired a new consulting firm, General Dynamics. This ate up additional time.

TJX has a slightly different time line. The company's vice chairman, Donald Campbell, has said that the company didn't learn positively that there had been a breach until December 27, 2006.

The problem with reconciling these claims is that documentation covering TJX's internal investigation remains sealed. TJX has argued that any information about the company's network needs to remain secret. That exposing this information could facilitate further attacks against the company's data. But the company has also said that it has made significant changes to its network; making it difficult to understand why a two year old investigation needs to remain secret.

According to a recently released report on data breaches, approximately 127 million people had their personal information exposed in a data breach in 2007. The TJX breach accounted for 94 million of those people. The report also said that the number of data breaches in 2007 was up by 40% when compared with 2006.

The costs of data breaches in 2007 were also up. According to a study conducted by the Poneman Institute, the average direct cost to companies for data breaches in 2007 was $197 per breached record. And the average cost to companies per breach increased to $6.3 million; up from $4.8 million in 2006. The study also said that the costs of breaches that are heavily publicized increase by as much as another $127 per breached record due to lost business.

by Jim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Only registered users can write comments.
Please login or register.