News

Retailer Takes Out Ads To Buffer Fallout from Customer Data Hack

TJX Cos. took a month to make public a computer security breach because it was trying to prevent further damage, the company's chairman said in an online message and full-page advertisement in Boston newspapers.

TJX Cos. discovered in mid-December that customer data had been stolen by computer hackers and used to make fraudulent debit card and credit card purchases, but did not inform the public of the breach until mid-January.

"By delaying a public announcement, with the help of top security experts, we were able to contain the problem and further strengthen our computer network to prevent further intrusion," Chairman Ben Cammarata said in the letter that ran in The Boston Globe Sunday and in the Boston Herald Monday. "Therefore, we believe we were working in the best interests of our customers."

The letter, addressed to "Our Valued Customers," also detailed the company's efforts to prevent further computer system intrusions. A letter also posted on the company's Web site, along with a seven-minute video of Cammarata speaking from a store's clothing department.

"We immediately engaged two leading computer security and incident response firms to investigate the problem and enhance our computer security in order to protect our customers' data," Cammarata said.

The company is working with law enforcement and banks and has set up customer help lines.

On Monday, a lawsuit seeking class-action status was filed in federal court in Boston accusing the company of negligence for waiting to publicly announce the intrusion and for failing to protect consumer credit- and debit-card information in its computers. The lawsuit, filed on behalf of a West Virginia woman, seeks credit-card monitoring for affected customers and compensation for damages they incurred.

The company did not immediately return a message left after business hours seeking comment on the lawsuit.

Cammarata also announced in the letter that the security breach did not appear to involve transactions made at Bob's Stores, and that transactions using debit cards issued by Canadian banks were not involved.

The fraudulent purchases have been made in Florida, Georgia and Louisiana, and overseas in Hong Kong and Sweden.

Framingham-based TJX is the parent company of discount retailers T.J. Maxx and Marshalls, as well as HomeGoods and A.J. Wright in the U.S., Winners and HomeSense in Canada, and T.K. Maxx in Britain.

TJX announced on Jan. 17 that hackers had broken into a system that handles credit and debit card transactions, as well as checks and merchandise returns. The company said the stolen customer data included information from 2003 transactions, as well as information from mid-May 2006 through December.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.