Navigation

Court filing in TJX breach doubles toll

Oct 24, 2007

More than 94 million accounts were affected in the theft of personal data from TJX Cos. http://boston.stockgroup.com/sn_overview.asp?symbol=TJX , a banking group alleged in court filings, more than twice as many accounts as the Framingham retailer has said were affected in what was already the largest data breach in history.

The data breach affected about 65 million Visa account numbers and about 29 million MasterCard numbers, according to the court filing, which was made late yesterday by a group of banks suing TJX over the costs associated with the breach. The banks cited sealed testimony taken from officials at the two largest credit card networks. A Visa official also put fraud losses to banks and other institutions that issued the cards at between $68 million and $83 million on Visa accounts alone, the filing states, the most specific estimate of losses to date.

TJX, which operates more than 2,500 stores worldwide under such brand names as TJ Maxx and Marshalls, previously has said the unidentified hackers who breached its systems had compromised at least 45.7 million credit and debit card numbers as far back as 2003. TJX has said about 75 percent of the compromised cards were expired or had data in the magnetic strip masked, meaning the information was stored as asterisks rather than numbers.

A TJX spokeswoman said she couldn't immediately discuss the filing yesterday, and said the company doesn't generally discuss pending litigation. Spokesmen for Visa and MasterCard did not respond to questions last night.

Eric Bourassa, a privacy specialist for the consumer group MassPIRG, said the larger number of cards apparently affected made it all the more important that consumers be notified of the great risk of fraud. He also said Visa's estimate of fraud losses was striking since in most previous cases "it's been hard to draw the link between the breach and the damages."

To date, authorities have not charged anyone directly with responsibility for the breach, though they made charges and won guilty pleas against six individuals in Florida for using phony credit cards with numbers stolen from TJX to purchase goods illegally. Last month, Canadian privacy officials concluded an eight-month investigation into the breach by faulting TJX for failing to adequately safeguard customer information. The investigators said TJX believes the intruders gained access to customer information via wireless local area networks at two Marshalls stores in Miami. These networks use radio waves to collect and transmit data, such as credit card numbers.

The claims filed by the banks yesterday are part of an ongoing legal battle between TJX and the bank that handled its card transactions, Fifth Third of Ohio, and a bigger group of plaintiff institutions including the Massachusetts Bankers Association and others.

TJX already has reached a tentative settlement with attorneys representing consumers who were harmed by the breach, who would receive cash or merchandise vouchers, credit monitoring, and other benefits if the deal is finalized.
TJX has said the price of the deal would fall within its previous estimates that the total cost of dealing with the breach would be around $256 million.

Several analysts have estimated the total costs to TJX could ultimately run as high as $1 billion, including legal settlements and lost sales. To date, though, sales figures reported by TJX suggest that shoppers have not been put off by the breach.

The banking plaintiffs haven't set an exact total for the damages they seek in their suit, but they claim among other things that TJX mishandled its security arrangements and they want the company to pay for unspecified losses and costs such as reissuing compromised credit cards.

TJX also is facing several other investigations into the breach, including one by the Federal Trade Commission and a multistate probe led by Massachusetts Attorney General Martha Coakley.

Yesterday's filings relate to a technical legal battle of whether a federal judge in Boston will grant the banks' motion to be certified as a class of plaintiffs, or whether they would face the more daunting task of pursuing their claims individually.

In a filing of its own, TJX argued against the certification, saying the small community banks who brought the suit "are not typical of those of the class" compared to big banks such as Bank of America Corp. http://boston.stockgroup.com/sn_overview.asp?symbol=BAC , which account for the majority of cards issued in the United States.

"Large banks generally devote considerably more resources to payment card fraud management than do smaller banks . . . which technology in turn enables them to react more flexibly to data compromises than small community banks sometimes do," TJX's filing states.

Further, many banks reissued every one of their cards listed in alerts, "a responsse that was at odds with best practices set forth by Visa, MasterCard," and bankers associations, TJX stated.

PREVIOUS POSTS
Sep 10.07 | SPIguard Security Solutions Inc. QSA certification with PCI Standards Council, L.L.C.

Its official! SPIguard Security Solutions Inc. is certified with PCI SSC as a QSA!
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf read more

Jul 19.07 | VISA USA GIVES ACQUIRERS DEADLINE TO SUBMIT PCI PLANS FOR LEVEL 4 MERCHANTS

Merchant acquirers working with Visa USA have until July 31 to submit a summary of
their plans for small-merchant compliance with the Payment Card Industry
data-security standard. read more

Jan 18.07 | SECURITY EXPERT BELIEVES BANKS, NOT MERCHANTS, SHOULD 'OWN UP' TO RESPONSIBILITY TO PROTECT DATA

DATA: The data breach confirmed by TJX Cos. today is "quite serious" and looks to be
organized, suggests Avivah Litan, an analyst at Gartner Group. She believes the
payments industry needs to recognize that it may be more cost effective to change
the payment system than ask 5 million retailers to comply with PCI data-security
standards. read more

Nov 13.06 | FBI SNARES THREE MORE IN CREDIT CARD SALES RING:

The FBI investigation
of an international ring that bought and sold credit card numbers has
expanded in Eastern Europe following the arrest of three Romanians
students who stole 200,000 euros (US$256,897) read more

Nov 01.06 | Helpforcharities.com Inc. launches new online charitable giving service: Gift Catalogue



The Gift Catalogue System provides donors with the ability to control how they
direct their donations. read more

Oct 10.06 | FIVE LEADING PAYMENT BRANDS UNITE TO STRENGTHEN GLOBAL DATA SECURITY

WAKEFIELD, Mass. Sept. 7, 2006 - American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International today jointly announced the formation of an independent council designed to manage the ongoing evolution of the Payment Card Industry (PCI) Data Security Standard, which focuses on improving payment account security throughout the transaction process. read more

Jul 26.06 | Woman wins suit against Equifax

A federal jury has ordered Equifax Information Services LLC to pay a Nokesville woman $351,000 in actual damages from an identity theft lawsuit. read more

Jul 24.06 | VISA MODIFIES MERCHANT CATEGORIES IN PCI COMPLIANCE

Visa USA announced Friday changes in merchant categories for its Payment Card
Industry Data Security Standard (PCI). read more

ARCHIVE