Retailer Takes Out Ads To Buffer Fallout from Customer Data Hack
TJX Cos. took a month to make public a computer security breach because it was trying to prevent further damage, the company's chairman said in an online message and full-page advertisement in Boston newspapers.
TJX Cos. discovered in mid-December that customer data had been stolen by computer hackers and used to make fraudulent debit card and credit card purchases, but did not inform the public of the breach until mid-January.
"By delaying a public announcement, with the help of top security experts, we were able to contain the problem and further strengthen our computer network to prevent further intrusion," Chairman Ben Cammarata said in the letter that ran in The Boston Globe Sunday and in the Boston Herald Monday. "Therefore, we believe we were working in the best interests of our customers."
The letter, addressed to "Our Valued Customers," also detailed the company's efforts to prevent further computer system intrusions. A letter also posted on the company's Web site, along with a seven-minute video of Cammarata speaking from a store's clothing department.
"We immediately engaged two leading computer security and incident response firms to investigate the problem and enhance our computer security in order to protect our customers' data," Cammarata said.
The company is working with law enforcement and banks and has set up customer help lines.
On Monday, a lawsuit seeking class-action status was filed in federal court in Boston accusing the company of negligence for waiting to publicly announce the intrusion and for failing to protect consumer credit- and debit-card information in its computers. The lawsuit, filed on behalf of a West Virginia woman, seeks credit-card monitoring for affected customers and compensation for damages they incurred.
The company did not immediately return a message left after business hours seeking comment on the lawsuit.
Cammarata also announced in the letter that the security breach did not appear to involve transactions made at Bob's Stores, and that transactions using debit cards issued by Canadian banks were not involved.
The fraudulent purchases have been made in Florida, Georgia and Louisiana, and overseas in Hong Kong and Sweden.
Framingham-based TJX is the parent company of discount retailers T.J. Maxx and Marshalls, as well as HomeGoods and A.J. Wright in the U.S., Winners and HomeSense in Canada, and T.K. Maxx in Britain.
TJX announced on Jan. 17 that hackers had broken into a system that handles credit and debit card transactions, as well as checks and merchandise returns. The company said the stolen customer data included information from 2003 transactions, as well as information from mid-May 2006 through December.