Identity Thieves Steal Data from Marshalls and TJMaxx Computers

Apparently late last year, hackers compromised and stole data from computer systems storing credit card and other confidential information belonging to customers of TJ Maxx and Marshalls stores. If you have been a customer of either of these stores, you may become the next victim of identity theft.

The company chairman and acting CEO disclosed the security breach in a message to customers posted on the TJX Company (Marshalls and TJ Maxx parent company) web site. The message contains resources, suggestions and other information about what to do in case you suspect that your identity has been compromised. Describing the nature of the breach, the chairman and acting CEO stated:

As the founder of our Company, I can tell you that customer satisfaction has been central to our Company’s success since day one. Therefore, I can tell you that we were extremely disappointed when we determined that we have suffered an unauthorized intrusion into our computer systems that process and store information related to customer transactions.

I hope that this company provides further information and regular updates during the course of their investigation. For example, what information relating to customer transactions has been compromised? Credit card data? Checking account details? Driver’s license information? How did such an intrusion occur? How did this company allow such an intrusion to occur? What computer security systems were in place to protect against intrusions of this type? Can the company recover details about who compromised its computer systems? What steps have been taken to determine precisely which consumers have been affected? States such as California require notification to all possible identity theft victims. Have company officials notified all possible affected consumers of the compromise of confidential information and risk of identity theft? If I have ever shopped at TJ Maxx or Marshalls stores and bought something with a check or credit card, does this mean that my identity may be stolen? What steps will the company take to minimize the harm to consumers who have shopped at these stores and whose names and credit card numbers have been stolen? Does the company expect to use its web site as the sole information resource for consumer notification or will it work with banks and credit card issuers to notify all possible victims? Will the company help protect victims whose identities have been exposed to fraud or does the company expect consumers to pay for protection themselves? Who should bear the burden of the cost and time it will take consumers to protect themselves from this exposure to identity theft? Should consumers who became victims by simply shopping at these two stores bear the sole burden of identity theft protection and prevention or should the company whose computer systems facilitated such criminal activity bear responsibility? What responsibility should the computer security systems designer bear for the computer security failure?

While the letter from the CEO certainly provides some assurance, the proof about whether the company will truly help consumer victims will be in the details. Have you ever shopped at either of these stores? How do you feel knowing that you may become the next victim of identity thieves by simply shopping at Marshalls or TJ Maxx stores? What do you think the company should do to help minimize identity theft risks? Who should bear the cost of identity theft protection for consumers who have been exposed? Let me know your thoughts. I’d love to hear from you.