TJX, which operates the T.J. Maxx and Marshalls chains, said on Wednesday that the computer systems that process its customer transactions had been breached and customer information had been stolen.
The off-price retailer said it discovered the intrusion in mid-December, but it does not yet know the full extent of the theft or the number of customers affected. "The company is committed to providing its customers with more information when it becomes available," Framingham, Massachusetts-based TJX said in a prepared statement.
TJX said the breach involves the computer network that handles credit card, debit card, check and return transactions at its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico; and its Winners and HomeSense stores in Canada.
It said the intrusion could also affect customers at stores in the United Kingdom and Ireland, and its Bob's Stores in the United States.
The retailer said it cannot yet estimate the financial cost it will incur due to the breach, and it does not expect to be able to quantify the financial impact by the time it announces January 2007 sales results.
C.L. King analyst Mark Montagna said that the breach was likely to have little meaningful impact on the company, and said no more information will probably be available until fourth-quarter earnings are announced in February.
"The question mark is whether they have insurance for these types of things," said Jefferies analyst Timothy Allen. "Either way, the Street will look at it as more of a one-time issue. Maybe going forward their (information technology) costs are higher, but I don't know if it's anything more than a couple of cents."
More critical, said Allen, is how TJX treats affected customers. The company should use the incident as an opportunity to offer excellent customer service, he said, whether through personal phone calls about the breach or discount coupons to lure shoppers back to stores.
The breach may have compromised privileged information about credit and debit card sales in TJX stores, excluding Bob's Stores, in the United States, Canada and Puerto Rico during 2003 and from mid-May through December 2006.
TJX notified law enforcement immediately after discovering the breach, but it said it kept it confidential at the request of law enforcement.