US retailer TJX has admitted that the computer security breach that it disclosed in Janaury was more extensive than it previously reported and potentially exposed more transaction data to fraudsters, including information from card payments made at TK Maxx stores in the UK and Ireland.
The retailer revealed on 17 January that the computer system it uses to process and store information related to customer transactions had been hacked in December 2007, which could have exposed millions of customers' credit and debit card numbers, as well as driver's licence information.
The retailer previously said that it thought the intrusion took place from May 2006 to January 2007, but now believes its computer system was also hacked into in July 2005 and at other periods during that year.
Credit and debit card data from transactions at its US and Puerto Rican stores and credit card-only transactions at Canadian stores from January 2003 through June 2004 was compromised. The retailer had previously reported that 2003 transaction data had potentially been accessed.
TJX says for most of the transactions from September 2003 through June 2004, some of the card information was masked at the time of the transaction, making that portion unavailable to hackers.
Furthermore, TJX says its investigation into the breach has found evidence of an intrusion to "the portion of its computer system that processes TK Maxx customer transactions".
TJX says it continues to suspect that UK and Ireland customer data may have been compromised from this portion of its network, but it has not confirmed any unauthorised access to customer data or any theft of data from TK Maxx.
Additional drivers' licence numbers together with related names and addresses are also thought to have been exposed. TJX says it will notify customers it is able to identify whose drivers' licence numbers, names and addresses were included in the information compromised.
Earlier this month the office of the Massachusetts Attorney General said it was leading a multi-state civil investigation into the security breach. Lawmakers in the state are considering introducing a bill that would render the retailer liable for any losses incurred as a result of a security breach and for the costs in cleaning up the mess afterwards.
Following the incident some banks were forced to re-issue cards to affected consumers. Debit and credit card data exposed in the breach is thought to have been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.