Consumerist: tjmaxx

Forever 21 Aftershocks? Citibank Cancels Cards Due To Retailer Security Breach

Chris Walters — Wed, 17 Sep 2008 19:44:13 EDT

We've received queries from readers telling us that their Citibank cards have been replaced, and asking whether we've heard about any new security breach. Other than Forever 21 we haven't, so we're wondering whether they're responsible for the stories below.

Jeremy writes:

Just got a replacement card from Citi due to possible “compromise of information” but when I asked customer service who the merchant was who may have been compromised, she said she did not have that information, but that it came straight from Visa and Mastercard and that it happened in the last 6-8 months.

Trevor writes:

I logged onto my CitiCard professional account today and discovered an "important security messsage" that my account may be at risk due to a problem with a merchant's database. The CSR said someone had "hacked in" to a database. His manager said she didn't know which merchant was involved, and invoked the TJ Maxx case as an example. When I asked if this was of comparable size, she said it was, and the CitiBank was issuing new cards to people, and that mine should be in the mail already.

Update 09/19/08: We received another report this morning:

Just yesterday, I received a replacement card.

Logging onto their site, I got a message saying my card had been compromised. I decided to activate the new card, but pressed 5 for a consumer rep. This was not the ordinary rep with noise in the background. She had no "sell-up" scripts nor an ebullient demeanor.

She said my card had to be replaced due to a database compromise.

Round 17: Wal-Mart vs TJMaxx

Ben Popken — Fri, 04 Apr 2008 12:00:00 EDT

This is Round 17 in our Worst Company in America contest, Wal-Mart vs TJMaxx.

Everyone has their own special reason for hating Wal-Mart. Forcing manufacturers to make shoddier versions of their products is pretty bad. Selling sandals that gave patrons feet chemical burns was pretty bad too. What's yours?

TJMaxx's lax wireless security lead to the theft millions upon millions of customer's debit and credit card numbers being stolen, the greatest bank robbery in the history of the freakin' world.

This is a post in our Worst Company In America 2008 series. The companies nominated for this honor were chosen by you, the readers. Keep track of all the goings on at consumerist.com/tag/worst-company-in-america/

STILL OPEN FOR VOTING: Mattel vs ATT, Capital One vs Video Professor, eBay/Paypal vs COX, Apple vs SallieMae, Diebold Vs Pfizer, MTV vs TransUnion
CompUSA vs DirecTV
Target vs Best Buy
Allstate vs Verizon,
DeBeers vs 1800 flowers, Starbucks vs United Airlines,
Exxon vs Crocs, Google Vs Sony, Ticketmaster vs Wachovia, Facebook vs The American Arbitration Association, Comcast vs Menu Foods

Retailers Get Sued For Printing Too Many Credit Card Digits On Receipts

Ben Popken — Thu, 03 May 2007 14:15:55 EDT

As of Dec 4th, 2006, it's illegal for a retailer to print more than five digits of your credit card on your receipt. Retailers who persisted are getting hit in a recent whirlwind of class-action lawsuits.

"Slips of paper containing people's financial information should not be floating around," says J. Mark Moore, a lawyer at Spiro Moss Barness LLP in Los Angeles.

Among the targets are Rite Aid, Wendy's, FedEx, TJMaxx and IKEA.

Keep an eye on those receipts. Find one with more than 5 credit card digits on it and it could the equivalent of an unclaimed winning lottery ticket, if one were so inclined. — BEN POPKEN

Retailers Whose Slips Show Too Much Attract Lawsuits [WSJ via Consumer World Blog]
(Photo: Mikey aka DaSkinnyBlackMan)

How TJMaxx Hackers Stole 45.7 Million Credit Cards

Ben Popken — Fri, 30 Mar 2007 17:49:15 EDT

TJMaxx computer system intruders who stole 45.7 million credit cards siphoned off customer data using a program they implanted on the company's servers, recent regulatory filings reveal.

The worm operated undetected for at least 18 months, capturing credit card numbers, then changing timelogs and moving data around to erase its tracks.

Initial speculation suggested that the thieves had access to the retailer's encryption key. Now it may be that the program captured data before it was encrypted.

If the latter, the ramifications are immense, as it means every single retailer's credit card processing system is at risk. — BEN POPKEN

TJX Intruder Had Retailer's Encryption Key [eWeek] (Thanks to Brandon!)

45.7 Million Credit Cards Stolen In TJMaxx Breaches

Ben Popken — Thu, 29 Mar 2007 13:02:50 EDT

45.7 million credit cards were stolen in recently disclosed security breaches at TJMaxx, regulatory filings revealed yesterday.

...Making it the largest robbery in the history of man.

It's time to start pressuring merchants to stop endlessly archiving our banking data. Why do they get to keep a copy of our credit cards forever? — BEN POPKEN

TJX breach involved 45.7m cards, company reports [Boston.com] (Thanks to KevinQ!)
(Photo: Sonny-)

TJ Maxx Data Thieves Caught Buying $8 Million in Walmart Gift Cards

Meg Marco — Fri, 23 Mar 2007 15:39:03 EDT

Stolen TJX data has been linked to 6 arrests in the Miami area. According to the AP, the ID thieves exploited a Walmart gift card loophole that allowed them to buy multiple $400 gift cards without showing ID, which they would then redeem or sell.

From the AP:

"Losses experienced by Wal-Mart and the banks issuing the credit cards currently total more than $8 million in Florida and are still being calculated," a release from the department said.
Framingham, Mass.-based TJX discovered in mid-December that customer data had been stolen by computer hackers and used to make fraudulent debit card and credit card purchases, but did not inform the public of the breach until mid-January. TJX, parent of T.J. Maxx, Marshalls, HomeGoods and other chains, later said it took a month to make the breach public because it was trying to prevent further damage.

The company at first thought the intrusion began in May 2006 and ran into January, but later said it found the breach started nearly a year earlier, in July 2005.

—MEGHANN MARCO

Florida arrests linked to data theft from TJX systems [Boston Globe]
Stolen Data From T.J. Maxx Parent Company Surfaces In Florida Wal-Mart Fraud [Information Week]

PREVIOUSLY: TJ Maxx Security Breach Happened A Year Earlier Than Previously Reported
T.J. Maxx Credit Card Breach Probed By MA & RI AGs
(Photo: Jels)

TJ Maxx Security Breach Happened A Year Earlier Than Previously Reported

Meg Marco — Wed, 21 Feb 2007 16:22:15 EST

From the Boston Globe:

"TJX Cos. said today that the unauthorized intrusion into its computer system occurred nearly a year earlier than it previously believed.

The Framingham operator of such offprice retail chains as T.J. Maxx and Marshalls offered additional details about a data breach it first disclosed last month.

TJX said today in a statement: "While the company previously believed that the intrusion took place only from May 2006 to January 2007, TJX now believes its computer systems was also intruded upon in July 2005 and on various subsequent dates in 2005. TJX continues to believe there was no compromise of customer data after-mid December 2006."

That's awesome, guys. Way to be on the ball. TJ Maxx says that credit card and debit card information from January 2003 through June 2004 has been stolen.

At this point it might be best to assume that your credit/debit card information has been stolen if you've ever shopped at TJ Maxx/Marshalls. They don't seem to have any idea what is going on. TJ Maxx has a toll-free line at 866-484-6978 for customers with questions about the situation.—MEGHANN MARCO

TJX: security breach happened earlier [Boston Globe] (Thanks, Kalun!)

PREVIOUSLY:TJ Maxx and Marshall's Hacked

Valentine's Day Retail Love Triangle: Pier 1's New CEO Slaps Restraining Order on TJ Maxx

Meg Marco — Wed, 14 Feb 2007 11:31:33 EST

Yes, just in time for Valentine's Day, a tale of love lost, betrayal and perhaps even revenge. Former TJ Maxx executive vice president, Alex Smith has left his post at TJ Maxx and begun a new life as CEO of spiraling-into-the-dirt home furnishings merchant Pier 1. Sadly, TJ just doesn't want to let Alex go. From Reuters:

Pier 1 Imports Inc. said on Tuesday it had received a temporary restraining order that would prevent TJX Cos. Inc. from filing a lawsuit against Pier 1's new President and Chief Executive Alex Smith....
On Monday, a Pier 1 spokesman said in a statement the company was trying to stop TJX from interfering with Smith's new employment agreement. Such threats were "improper," said spokesman Tom Thomas, because the two companies are not competitors.
The restraining order was necessary "to assure that Alex will be at his post next Monday to oversee the beginning of Pier 1's return to profitability," said Thomas.

Look TJ, Pier 1 just wants you to let Alex go so they can move on. Ok? You're embarrassing yourself.

Unfortunately, TJ Maxx didn't return calls for comment. They were too busy painting over Smith's parking spot and ripping up old prom photos. Happy Valentine's Day.—MEGHANN MARCO

UPDATE 1-Pier 1 says gets restraining order against TJX [Reuters]

Retailers' Return Policies

Ben Popken — Wed, 06 Dec 2006 18:01:46 EST

Retailers are getting stricter with their return policies this year. If you're not hot about the Marshmallow Shooter or Toshiba SD-4990 DVD Player grams got you, keep the receipt and don't take it out of the package. Here's the return policies of some of the major retailers. — BEN POPKEN

Holiday gift returns: Still nothing easy about it [Money] (Thanks to Octavia!)