TJX Update: Breach Worse Than Reported

Court Filings Estimate Impact on 96 Million Accounts
TJX Update: Breach Worse Than Reported
The estimated number of reported credit card numbers that were taken in the TJX breach has doubled from more than 45 million to nearly 100 million accounts being affected, according to VISA.

New documents filed in the Federal Court in Boston on October 23 reveal that as many as 96 million consumers may have been affected, including about 29 million MasterCard victims and 65 million VISA victims.

These new numbers were disclosed in filings from a group of banks suing TJX. (See related story: New England Banks File Class Action Suit Against Retailer TJX). The banking plaintiffs in the class action suit have not set a dollar figure on the total damages sought in the suit. Industry analysts have estimated the total costs to TJX from $500 million to as much as $1 billion, when legal settlements and loss of market share and sales are included

"Beginning in July 2005, TJX experienced a massive intrusion into its computer systems, resulting in the largest data security breach in history and the compromise of an unprecedented amount of confidential nonpublic consumer personal data," said the plaintiff filing. "Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, VISA has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on VISA accounts alone."

The bank plaintiffs based their new numbers on depositions from VISA and MasterCard that had been confidential until Oct. 23. Joseph Majka of VISA testified in the depositions and told of some 96 million accounts that were affected and fraud stemming from the TJX breach took place in 13 different countries.

At another hearing a week ago, TJX and their lawyers’ motion to dismiss was rebuffed by the court. The certification of the class of plaintiffs has yet to be decided upon by the court, and if the entire class is certified it will open the door for other banks to join the suit.

The class action suit plaintiffs are not commenting on the case, “Because of the ongoing litigation, we’re letting the documents speak for themselves,” says Bruce Spitzer, a spokesperson at the Massachusetts Bankers Association. “However, going forward, this issue will be of topmost concern to banks and to consumers as well.”

TJX also faces many other state and federal investigations into the breach, including one by the Federal Trade Commission (FTC) and a multistate probe led by Massachusetts Attorney General Martha Coakley. Canadian government officials recently issued findings on its investigation into the TJX breach. (See related story: TJX Report: Wake-up Call for All Institutions).


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network