TJX Companies (T.J. Maxx) card breach

On 17 January 2007, the off-price retailer The TJX Companies — parent of T.J. Maxx, Marshalls, HomeGoods, and the European TK Maxx chain — disclosed that intruders had been inside its systems and stolen payment-card data. As the investigation deepened, the scale became historic: an estimated 94 million payment-card records compromised over an intrusion that ran roughly 18 months before detection, making it the largest U.S. retail data breach known at the time.

What happened

The intrusion began not at corporate headquarters but in a store parking lot. In July 2005, attackers used wardriving — scanning for wireless networks from outside the building — to reach a weakly-protected in-store Wi-Fi network at a Marshalls outlet in Minnesota. The network relied on the obsolete WEP encryption standard, which the crew defeated.

From that beachhead the attackers moved laterally into TJX's central systems in Framingham, Massachusetts, where they installed packet-sniffer software that captured cardholder data as it flowed across the network — much of it stored or transmitted with inadequate encryption. The intruders also harvested data from transactions reaching back years that TJX had retained longer than card-industry rules permitted.

How it was run

The operation was led by Albert Gonzalez, a former U.S. Secret Service informant who simultaneously ran one of the most prolific card-theft rings of the decade. The same crew was later tied to breaches at Heartland Payment Systems, Hannaford, and other retailers. Stolen card numbers were encoded onto blank plastic and used to buy gift cards and merchandise, or sold through carding forums.

Impact

An estimated 94 million payment-card records were exposed — names, card numbers, and in some cases driver's-license data tied to merchandise returns.
TJX's reported total cost exceeded $256 million, covering remediation, legal settlements, and customer compensation.
TJX settled with 41 state attorneys general for $9.75 million and resolved consumer class actions valued at over $200 million.
Albert Gonzalez was indicted in 2008 and sentenced in 2010 to 20 years in federal prison.

Why it matters

The TJX breach was a turning point for the Payment Card Industry Data Security Standard (PCI DSS). It exposed how weak wireless encryption, excessive data retention, and unencrypted internal traffic could combine into a catastrophic exposure — and it pushed retailers and acquirers to treat PCI compliance as a board-level obligation rather than a checkbox. For years afterward, TJX served as the canonical example of how a single soft perimeter, a store Wi-Fi access point, could open the door to a nationwide chain's entire payment infrastructure.

Timeline

July 1, 2005

Attackers begin intercepting cardholder data over a poorly-secured wireless LAN at a Marshalls store in Minnesota, exploiting weak WEP encryption.

2005-2006

The crew pivots from the store network into TJX's central processing systems in Framingham, installing sniffer software that captures card data in transit.

December 1, 2006

TJX detects suspicious software on its systems and begins a forensic investigation with outside experts and law enforcement.

January 17, 2007

TJX publicly discloses the intrusion in an SEC filing and press release, initially without a confirmed record count.

October 24, 2007

Court filings and TJX disclosures reveal the breach may exceed 94 million card records, far larger than first estimated.

August 5, 2008

The U.S. Department of Justice indicts Albert Gonzalez and co-conspirators for the TJX intrusion and related retail breaches.

June 1, 2009

TJX settles with 41 state attorneys general for $9.75 million; total breach-related costs are reported above $256 million.

March 25, 2010

Albert Gonzalez is sentenced to 20 years in federal prison.

Sources

sec.govhttps://www.sec.gov/Archives/edgar/data/0000109198/000115752307001830/a5338727ex991.txt

nbcnews.comhttps://www.nbcnews.com/id/wbna21454847

scworld.comhttps://www.scworld.com/news/tjx-settles-over-breach-with-41-states-for-9-75-million

justice.govhttps://www.justice.gov/archives/opa/pr/alleged-international-hacker-indicted-massive-attack-us-retail-and-banking-networks

informationweek.comhttps://www.informationweek.com/cyber-resilience/t-j-maxx-probe-reveals-data-breach-worse-than-originally-thought

Related incidents

Data breachOngoingJune 7, 2026

Baker Distributing ShinyHunters Salesforce data-extortion leak (2026)

After negotiations stalled, the ShinyHunters extortion crew published data it claimed to have stolen from Baker Distributing's Salesforce and SharePoint systems, exposing more than 100,000 customer email addresses and contact records.

Victim: Baker Distributing Company
Records: 102.9K

Data breachResolvedOctober 8, 2020

Famm data breach (2020)

In late 2020, the Japanese family photos website Famm suffered a data breach that subsequently exposed 1.3M customer records, including 535k unique email addresses. Impacted data also included names, dates of birth, genders and passwords stored as SHA-256 hashes.

Victim: Famm
Records: 535.2K

Data breachResolvedMay 21, 2014

eBay credentials breach

Attackers used a small number of compromised employee credentials to access eBay's corporate network and exfiltrate a database covering all 145 million users — names, encrypted passwords, email and postal addresses, phone numbers, and dates of birth.

Victim: eBay
Records: 145.0M

Data breachResolvedJuly 12, 2007

gPotato data breach (2007)

In July 2007, the multiplayer game portal known as gPotato (link to archive of the site at that time) suffered a data breach and over 2 million user accounts were exposed. The site later merged into the Webzen portal where the original accounts still exist today.

Victim: gPotato
Records: 2.1M