Court filing in TJX breach doubles toll
Oct 24, 2007More than 94 million accounts were affected in the theft of personal data from TJX Cos.
http://boston.stockgroup.com/sn_overview.asp?symbol=TJX , a banking group alleged in court filings, more than twice as many accounts as the
Framingham retailer has said were affected in what was already the
largest data breach in history.
The data breach affected about 65 million Visa account numbers and about
29 million MasterCard numbers, according to the court filing, which was
made late yesterday by a group of banks suing TJX over the costs
associated with the breach. The banks cited sealed testimony taken from
officials at the two largest credit card networks. A Visa official also
put fraud losses to banks and other institutions that issued the cards
at between $68 million and $83 million on Visa accounts alone, the
filing states, the most specific estimate of losses to date.
TJX, which operates more than 2,500 stores worldwide under such brand
names as TJ Maxx and Marshalls, previously has said the unidentified
hackers who breached its systems had compromised at least 45.7 million
credit and debit card numbers as far back as 2003. TJX has said about 75
percent of the compromised cards were expired or had data in the
magnetic strip masked, meaning the information was stored as asterisks
rather than numbers.
A TJX spokeswoman said she couldn't immediately discuss the filing
yesterday, and said the company doesn't generally discuss pending
litigation. Spokesmen for Visa and MasterCard did not respond to
questions last night.
Eric Bourassa, a privacy specialist for the consumer group MassPIRG,
said the larger number of cards apparently affected made it all the more
important that consumers be notified of the great risk of fraud. He also
said Visa's estimate of fraud losses was striking since in most previous
cases "it's been hard to draw the link between the breach and the
damages."
To date, authorities have not charged anyone directly with
responsibility for the breach, though they made charges and won guilty
pleas against six individuals in Florida for using phony credit cards
with numbers stolen from TJX to purchase goods illegally. Last month,
Canadian privacy officials concluded an eight-month investigation into
the breach by faulting TJX for failing to adequately safeguard customer
information. The investigators said TJX believes the intruders gained
access to customer information via wireless local area networks at two
Marshalls stores in Miami. These networks use radio waves to collect and
transmit data, such as credit card numbers.
The claims filed by the banks yesterday are part of an ongoing legal
battle between TJX and the bank that handled its card transactions,
Fifth Third of Ohio, and a bigger group of plaintiff institutions
including the Massachusetts Bankers Association and others.
TJX already has reached a tentative settlement with attorneys
representing consumers who were harmed by the breach, who would receive
cash or merchandise vouchers, credit monitoring, and other benefits if
the deal is finalized.
TJX has said the price of the deal would fall within its previous
estimates that the total cost of dealing with the breach would be around
$256 million.
Several analysts have estimated the total costs to TJX could ultimately
run as high as $1 billion, including legal settlements and lost sales.
To date, though, sales figures reported by TJX suggest that shoppers
have not been put off by the breach.
The banking plaintiffs haven't set an exact total for the damages they
seek in their suit, but they claim among other things that TJX
mishandled its security arrangements and they want the company to pay
for unspecified losses and costs such as reissuing compromised credit
cards.
TJX also is facing several other investigations into the breach,
including one by the Federal Trade Commission and a multistate probe led
by Massachusetts Attorney General Martha Coakley.
Yesterday's filings relate to a technical legal battle of whether a
federal judge in Boston will grant the banks' motion to be certified as
a class of plaintiffs, or whether they would face the more daunting task
of pursuing their claims individually.
In a filing of its own, TJX argued against the certification, saying the
small community banks who brought the suit "are not typical of those of
the class" compared to big banks such as Bank of America Corp.
http://boston.stockgroup.com/sn_overview.asp?symbol=BAC , which
account for the majority of cards issued in the United States.
"Large banks generally devote considerably more resources to payment
card fraud management than do smaller banks . . . which technology in
turn enables them to react more flexibly to data compromises than small
community banks sometimes do," TJX's filing states.
Further, many banks reissued every one of their cards listed in alerts,
"a responsse that was at odds with best practices set forth by Visa,
MasterCard," and bankers associations, TJX stated.