FREQUENTLY ASKED QUESTIONS

What happened?

The TJX Companies, Inc. suffered an unauthorized intrusion or intrusions into its computer systems that process and store information related to customer transactions. The intrusion affected the portion of TJX's computer system in Framingham, MA that handles most of our credit card, debit card, check and merchandise return transactions for most of our stores in the U.S., Puerto Rico and Canada, along with a portion of our computer system in the UK that handles credit and debit card transactions for our stores in the U.K. and Ireland. Based on our investigation to date, we believe that our computer systems were first accessed by an unauthorized intruder in July 2005, on subsequent dates in 2005 and from mid-May 2006 to mid-January 2007, but that no customer data was stolen after December 18, 2006. We do not know who the intruder was, whether there was one or more intruder, or whether there was one or separate intrusions.

What chains were affected?

We believe all of our chains were affected other than Bob's Stores.

What types of transaction information could have been affected?

We believe that information for the following types of transactions could have been affected:

  • Credit and debit card, check and unreceipted merchandise return transactions at T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico.

  • Credit card transactions at Winners and HomeSense stores in Canada.

  • Credit and debit card transactions at T.K. Maxx stores in the U.K. and Ireland.

We believe information for the following transactions were NOT affected:

  • All transactions for Bob's Stores in the United States.

  • Transactions made at Winners and HomeSense stores through the Interac network, using debit cards issued by Canadian banks.

  • Check and merchandise return transactions at T.K. Maxx.

We believe that customer personal identification numbers (PINs) were NOT compromised in the intrusion.

When and how did you discover the intrusion? What was your immediate response?

On December 18, 2006, we learned of suspicious software on our computer systems. We began an investigation, and computer security and incident response experts General Dynamics Corporation and International Business Machines Corporation (IBM) were engaged to assist. On December 21, they determined that there was strong reason to believe that we had suffered an intrusion. On December 22, we notified law enforcement authorities, and they asked us to maintain confidentiality of the intrusion. On December 27, we first learned that any customer data apparently had been stolen.

Why didn't you publicly announce the intrusion as soon as you discovered it?

Because there was an active intrusion on our computer systems, we were concerned that there would be an expansion of the intrusion. By not making an earlier public announcement, and by enlisting the help of top security experts, we were able to contain the intrusion and further strengthen our computer systems to help protect against further intrusion and future attacks to our systems. Our actions reduced the risk that additional customer data would be exposed, and we don't believe any additional customer information was stolen from our systems as a result of the delay. Therefore, we believe that we were acting in the best interest of our customers. In addition, we maintained confidentiality of the intrusion as requested by law enforcement which advised us that early disclosure could compromise their investigation.

What is TJX doing to contact customers about this problem?

We have provided extensive information to banks and credit card companies with respect to credit and debit cards so that they can take appropriate action. The credit and debit card information that we believe was stolen does not include customer names and addresses, only numerical card information.

We are directly notifying those customers we can specifically identify whose drivers' license, military ID or state ID numbers with their related names and addresses may have been compromised. We have also tried to identify which of those customers had drivers' license, military ID or state ID numbers that were their social security numbers and specifically notify them of this possibility.

What are you doing to make sure this doesn't happen again?

Since discovering the problem, we have strengthened the security of our computer systems. Leading computer security and incident response firms General Dynamics Corporation and IBM have assisted us in further securing our computer systems and implementing additional security.

Is it safe to continue shopping in your stores?

We believe customers should feel safe shopping in our stores. The steps we have taken to strengthen the security of our computer systems have been, we believe, appropriate to protect the safety of credit and debit card and other customer transactions in our stores.

Do you know who the intruder was?

We do not know who the intruder was, or if there were one or more intruders.

What payment card information do you believe was stolen?

  • We believe that information regarding portions of the payment card transactions at our U.S., Puerto Rican and Canadian stores (excluding Bob's Stores transactions and debit card transactions made at Winners and HomeSense stores through the Interac network, with cards issued by Canadian banks), primarily from January 2003 through June 2004, was stolen. In addition, we have identified several files we believe were stolen that contain or are believed to contain payment card information. We cannot specifically identify all of this data.

  • In addition, we believe that additional payment card transaction information from all of our stores, including T.K. Maxx (excluding Bob's Stores and excluding transactions made at Winners and HomeSense stores through the Interac network with debit cards issued by Canadian banks) may have been stolen in the intrusion, but we do not know what data were stolen.

  • We have provided extensive information on credit and debit cards to the credit card companies and banks. The payment card information believed stolen does not include names and addresses of customers.

Can you summarize the numbers of payment cards or other kinds of data that were taken in the intrusion?

Due to the type of technology used in the intrusion as well as deletions of transaction data in the ordinary course, we can't now, and believe that we may never be able to, identify much of the information believed stolen. We have been able to specifically identify that a portion of the data believed stolen included account information for approximately 45.7 million separate payment cards. As to 75% of these cards, either the card was expired at the time of the theft or the stolen information did not include the security code data from the magnetic stripe on the payment card. Also, we can specifically identify about 455,000 individuals whose drivers' license numbers, military IDs or state IDs, together with their names and addresses, were included in the data we believe were stolen.

Why don't you know exactly what data was stolen? Why can't you quantify what was stolen?

We aren't able to specifically identify all of what we believe was stolen due to deletions of data in the ordinary course of business after the believed theft and prior to its discovery, the types of technology used by the intruder in the intrusion and the fact that we believe some data was stolen during the payment card approval process.

You say that the intrusion began in July of 2005, but data was taken from 2003. Doesn't this mean the intrusion started in 2003?

No. There is a distinction between when we believe the hacker was actually inside our systems versus when the information believed to have been stolen was first stored on our systems.

How many payment card numbers were used fraudulently?

We do not know whether any fraudulent use has occurred or if so, to what extent. Law enforcement has advised us that they are investigating what may be fraudulent use of information stolen from our systems. We have provided extensive transaction information to the banks and payment card companies, but they have not shared details of possible fraudulent use with us.

What personal information do you believe was stolen?

  • We believe that drivers' license, military and state identification numbers, together with related names and addresses, provided for some returns of merchandise without receipts at our U.S. (except Bob's Stores), Puerto Rican and Canadian chains may have been stolen. We are writing to customers we were able to specifically identify whose drivers' license, military and state identification numbers, together with their names and addresses, were included in the information believed to have been compromised.

  • We are continuing our investigation seeking to determine whether additional customer personal information may have been compromised and, if so, to what extent. We do not know if we will be able to identify additional personal information of specific customers that may have been taken.

  • We do not receive or store customer social security numbers per se. However, the drivers' license or military ID numbers customers provide us in unreceipted merchandise return transactions are, in some cases and in some states, the same numbers as their social security numbers. We are writing directly to customers we were able to specifically identify whose drivers' license, military or state ID numbers, together with their names and addresses, were found in the information believed compromised and identifying where we believe those numbers may be social security numbers.

Am I at risk for identity theft?

Experts tell us that it would be extremely unlikely for cyber thieves to commit identity fraud with the vast majority of information that we believe was stolen. Most of the information at risk does not include names and addresses. We never request customers' social security numbers in our transaction processes. However, we have been able to specifically identify some drivers' license, military ID or state ID numbers, together with related names and addresses (obtained in unreceipted return of merchandise transactions), which may be the same numbers as the customers' social security numbers, that we believe were compromised.

I've heard that TJX is paying for credit monitoring for some customers, but not others. Why are you not offering to pay for credit monitoring for everyone?

Based on the majority of the type of data that we believe was compromised, we do not believe that such monitoring will be meaningful to most customers. In other words, credit monitoring does not detect fraudulent charges on your credit and debit card accounts. Your best defense is careful review of your own statements, and that is why we urge you strongly to do so. However, we are offering to pay for credit monitoring where we have found customer drivers' license, military ID or state ID numbers in information believed stolen, together with their names and addresses, and where those numbers were the same numbers as their social security numbers.

How do I know if TJX was able to specifically identify me as a customer whom it believes had drivers' license, military ID or other state ID number compromised?

We are mailing letters directly to customers we have been able to specifically identify whose drivers' license, military ID or state ID numbers, together with related names and addresses, were included in the information we believe was compromised.

If I don't receive a letter from TJX, can I assume that my driver's license number (which is my social security number), together with my name and address, were not compromised?

Not necessarily. As discussed above, we are not able to specifically identify all of the personal information that may have been compromised in the intrusion. However, it is important to note that the vast majority of information that may have been compromised did not involve drivers' license numbers (whether or not social security numbers). We only received and stored this information in some transactions where merchandise is returned without a receipt in the U.S., Puerto Rico and Canada. We continue to urge customers to avail themselves of the steps outlined on this website to monitor their own credit security.

What should I do now to protect myself?

  • We have established a special helpline for customers who have questions. Customers may reach the helpline toll-free at 866-484-6978 in the United States, 866-903-1408 in Canada, and 0800 77 90 15 in the United Kingdom and Ireland. The special helplines are in operation Monday through Friday from 9:00 am to 8:00 pm Eastern time.

  • We have provided information on this website, including tips on preventing credit and debit card fraud and other steps customers may take to protect their personal information.

  • We strongly recommend that you carefully review your account statements and immediately notify your credit or debit card company or bank if you suspect fraudulent use.

Why do some of the media reports contain different information than what TJX is reporting?

We stand by the accuracy of the information on this website as well as in our news releases and Security and Exchange Commission filings. We do not control the content of media reports. Broadly speaking, computer systems security is a complex issue. It involves not just retailers, but banks, credit card companies, trade associations, government agencies and so on. TJX cannot address everything that others are reporting regarding the intrusion. We are committed to sharing complete and accurate information and are working diligently toward that end.

September, 2007

rule