TJ Maxx & Marshall’s Hacked, Tons Of Credit Cards Stolen

In mid-December, someone cracked into TJ Maxx’s computer system and stole a huge swath of credit cards.

Based on the info released so far, all TJ Maxx and Marshall’s transactions from mid-May to December 2006, as well as all of 2003, have been compromised.

If you shopped at TJ Maxx during these times, you’re well advised to check your statements and report any suspicious activity.

TJ Maxx has a toll-free line at 866-484-6978 for customers with questions about the situation. — BEN POPKEN

Retailer TJX reports massive data breach [InfoWorld]


Edit Your Comment

  1. These types of stories always bring to mind the canned responses I hear when I tell a store employee that I just dont think they need any of my personal information if I am paying cash in full for the product.

    “You dont have to worry, we dont sell or give your personal data to ANYONE ELSE”

    What a load of crap. I think I will start clipping headlines and make a portfolio to show off to anybody asking me for so-much as my name.

    Same goes for banks and any extraneous information they request just to cash a check.

  2. timmus says:

    Why can’t they just lose their merchant account privileges? You know that if we were talking about a small business, they’d get canned and blacklisted with a TMF file.

    Oh yeah, the big bucks Visa gets from a big retailer. Millions of credit card records… we’ll just trot out the security dog and pony show and get back to business.

  3. weave says:

    Let me guess, they also stored that 3 or 4 digit extra security code on the card, that they are not supposed to save, too.

  4. Pheos says:

    Why are they still storing 3 year old card details? 1 year I can understand, but 3?

  5. BMR says:

    from the TJX.COM site, a message from their “acting” CEO – (acting concerned?)

  6. “I think I will start clipping headlines and make a portfolio to show off to anybody asking me for so-much as my name.”

    Ooooh, I’m totally going to do that!

  7. acambras says:

    Conversation that occurred at a mall store this past weekend:

    Salesperson: Do you have a _______’s rewards card? It’ll save you _____% off of _______.
    Me (smiling sweetly): No.
    Salesperson: Would you like to apply for one?
    Me (smiling sweetly): No, thank you.
    Salesperson: But it’ll only take 30 seconds…
    Me (still smiling sweetly): No.
    (Salesperson rings up purchase)
    Salesperson (very cheerfully): Can I get your home phone number with area code?
    Me (smiling sweetly): No.

    I too love Holden’s clipping portfolio idea.

  8. Antediluvian says:

    Whenever TJMaxx (or any other store) asks for my phone number, I either react with a calm “No / No, thanks”, or a shocked “Good heavens no! Why on earth do you need that? We hardly know each other!”

    I think some of the cashiers are recognizing me now because they’ve stopped asking me for my number.

    As for those customer loyalty cards, I never give real info on those, so while the shopping history data may reflect my actual habits, the demographic info is false. And I never use the CVS cards when I fill my presciptions.

    I do recommend people memorize a fake birthday and use it for all the online and retail places that require it. If you use the same one over again you’re more likely to recall it when asked on a form.

  9. If I had ever shopped at either of those stores, I’d cancel those cards immediately – don’t wait for a fraudulent charge to appear because that might not happen for months, if not years. And, when those charges do appear, you have to go through the process of contesting them, which can take years off your life. Cancel the cards now because the cost of doing so is practically zero.

    Too bad you can’t cancel your SSN and get it re-issued…

  10. BMR says:

    I like to keep in mind when asked for info at the register:
    The cashier did not make the policy, they are just doing their job. Don’t make it more miserable.

  11. Antediluvian says:

    BMR [cashier doesn’t make policy] — that’s exactly why I don’t yell at the cashiers or make a scene but try to make the point with gentle indignation.

  12. acambras says:

    @BMR —

    I always say it nicely. But if a simple “no” (to intrusive requests for information) is going to make the cashiers “miserable,” then that’s just too damn bad.

    I suspect that a lot of stores/companies offer incentives (or even impose quotas) to get employees to sign customers up for credit cards, VIP lists, etc. Otherwise, why would they be trying so hard?

    Again, it’s important to be polite, but firm. I don’t get on a soapbox at the register — I just say no. And if they keep pushing, I keep saying no. If that makes me the bad guy, then they should let me know and I’ll take my business elsewhere.

  13. josh1701 says:

    This announcement just appeared on the home page of my credit union:

    Important Notice Regarding VISA Cardholder Data Compromise

    We recently received an alert from our credit card partner, VISA, U.S.A. indicating a breach of card information at a national retailer involving all major payment card brands. While we cannot provide details of the compromise because of the sensitive nature of the ongoing investigation, we can tell you that VISA provided us with the card numbers of the compromised cards and we are taking immediate action to inform all our affected members. As part of our procedure, we will monitor the accounts independently and if needed, will cancel and reissue cards as necessary. It is important to note that one of the many reasons we partnered with VISA was because of its Zero Liability Policy, which protects our members from paying for any unauthorized purchases in the event of a situation like this one. Our members are 100% protected.

    We apologize for any inconvenience, and as always, VISA and [credit union] encourage cardholders to regularly monitor their accounts through statements and Internet account access. Cardholders should also notify [credit union] of any unusual activity. Additional security tips for consumers are available at

  14. BMR says:

    Antediluvian and acambras:
    sorry if you took my comment as an affront. was not meant in that spirit nor was it addressing your specific posts. it was a reminder only, not a critique. it is important as a consumer to remember some things, that is all.

  15. I’ve always used 867-5309 for a phone number, and occasionally get away with 90210 for an area code. It can be fun to play with these stupid policies.

  16. acambras says:

    LOL, crayonshinobi — I am betting that a lot of the teens and 20-somethings working cash registers wouldn’t get the 867-5309 reference. And in a few years, people won’t get the 90210 one either.

    And BMR, don’t worry. It was kinda funny dealing with that employee the other day. I don’t know if she was shocked because I said no or because I was so polite about it.

  17. Antediluvian says:

    BMR– no offense taken — just clarifying. I’ve worked as a bag boy, cashier, fast food counter staffer, busboy, waiter, etc, so I have empathy for folks who do that kind of work.

    But not for telemarketers. :-)

  18. Clampants says:

    You get the Max for the Minimum at TJ-Maxx!

    If “the Max” is “screwed” and “the Minimum” is “shopping with us.”

  19. Ran Kailie says:

    (or even impose quotas)

    This is exactly the case, companies often impose quotes cashiers must meet, or the entire store can suffer, or possibly even mean letting the cashier go.

  20. acambras says:

    @Ran Kailie:

    I’d hate to see someone lose his/her job for not meeting a company-imposed quota to sign up however many people for store credit cards. I’m not a monster (despite what the avatar might lead you to believe).

    Still, they’re not getting my personal info. I’m not signing up. Uh-uh. Nope.

  21. kerry says:

    Ooof, I know I bought something at Marshall’s at least once between May and December 2006. Now if I could only remember which card I used. Crud!
    As for quotas, I know Victoria’s Secret and Express impose quotas on their employees for signing up new customers to their credit cards. Not sure what the punishment for not making quota is, though. I wish there was a magic word customers could use to turn down the offer without causing the employee any negative effect. I don’t want any store credit cards, why punish some poor sales associate at Victoria’s Secret for that?
    Oh, and when my identity was stolen a few years ago they used it to open many, many store credit cards. It was surprisingly painless to get everything shut down and my name cleared. It seems to require almost no real identification to open those things. They’re supposed to check a drivers’ license, but they hardly ever do.

  22. acambras says:


    Ironically enough, the store where I had my “smiling sweetly” encounter was Victorias’s Secret. Now I know why she was so damned persistent.

    It seems to require almost no real identification to open those things. They’re supposed to check a drivers’ license, but they hardly ever do.

    Well, one of the things the associate really played up was that it only took 30 seconds (or 45 seconds, or some insanely short amount of time). I suppose that checking driver’s licenses, etc. would slow down the process to the point where it took longer than 30 seconds.

  23. Another question that comes to mind when I hear about more customer databases being compromised is;

    Do data farms and marketing firms care where the data they are purchasing comes from? Are there any ethical safeguards in place in that industry? I figure having access to all that financial data is more profitable to resell than use for identity theft. Do domestic and foreign governments ever purchase bulk consumer data? Are there any restrictions on what information a government can purchase?

    These should really be the questions we ask ourselves every time another corporate or government database is compromised.