Customer data stolen from TJX, the company behind high street store TK Maxx, has been used to defraud credit and debit card users in the US, Europe and Asia.
The data was taken after hackers broke into a system containing financial information of customers in December last year. Only last week did the company admit systems had been breached.
"We were extremely disappointed when we determined that we have suffered an unauthorized intrusion into our computer systems that process and store information related to customer transactions," said Ben Cammarata, chairman and acting chief executive of TJX in a statement.
The company did not divulge the extent of the breach but said that the involved the portion of TJX's computer network that handled credit card, debit card, cheque, and merchandise return transactions for customers of its T.K. Maxx shops in UK and Ireland where the company has 200 shops. The breach as affected its stores in the US as well as other chains operated by the group around the world.
It said that it was conducting a full investigation with the assistance of several computer security and incident response firms.
"Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems and we believe customers should feel safe shopping in our stores," said Cammarata.
But the Massachusetts Bankers Association (MBA) said that nearly 60 banks in the state had reported fraud connected to the data theft. It said in a statement that fraudulent use of debit and credit card data had been used to make purchases in Florida, Georgia, and Louisiana in the US, and Hong Kong and Sweden overseas. The association said that it expected the number of banks reporting incidences to be far higher.
Daniel Forte, president of the MBA said that the card companies would notify banks which in turn would issue affected customers with new cards and the banks would contact the customer to let them know what is happening.
"In rare circumstances, in a rush to protect you, your card could be cancelled before the communication reaches you," he said.
"It is critical that the card associations - Visa, MasterCard, etc. - and public officials carefully evaluate whether the source of the breach should be identified quickly and be held liable for a data breach, particularly if the information being stored is in violation of card network rules," said Forte.
Analysts said that this current breach is symptomatic of systems that have failed to keep up to date with current security practices.
"There is a lack of security in the retail industry and that doesn't surprise me at all," said Andy Kellett, senior research analyst at Butler Group. "The details that stores keep on credit card details go back a number of years and it will be card numbers from the last couple of years that will interest criminals the most."
