In a move that was widely expected, three New England banking
associations and some individual banks announced they will sue TJX
Companies over
the data breach that exposed at least 45.7 million credit and debit
card holders to identity fraud.
Banks have suffered a heavy financial toll over the breach,
having to shell out a significant sum of money to replace
compromised cards and cover fraudulent charges traced back to the
TJX incident.
The Massachusetts Bankers Association, Connecticut Bankers
Association, Maine Association of Community Banks and some
individual banks will file the lawsuit in U.S. District Court in
Boston Wednesday. Nearly 300 banks are represented by the New
England associations.
Dan Forte, president and chief executive of the Massachusetts
Bankers Association, told the Associated Press (AP) that his
organization will invite other state bank groups from around the
country to join the lawsuit, which seeks class-action status.
 |
| TJX data breach: | TJX faces suit from shareholder: The
Arkansas Carpenters Pension Fund wants access to documents
outlining TJX's IT security measures and its response to the
data breach.
TJX data breach faces FTC probe: The Federal
Trade Commission (FTC) confirmed it is investigating events
surrounding the data breach at TJX Companies Inc. TJX says it is
cooperating with investigators.
PCI DSS auditors see lessons in TJX data breach: Following the
recent TJX data breach, several PCI Data Security Standard auditors
say the retailer violated basic requirements of the PCI DSS. But
they say there are lessons to be learned from TJX's
mistakes. |
|
| |
|
The suit will argue that TJX failed to protect customer data
with adequate security measures, and that the Framingham,
Mass.-based retail giant was less than honest about how it handled
data.
TJX spokeswoman Sherry Lang told the AP that the company doesn't
comment on pending litigation, except to say that "TJX will defend
itself vigorously."
TJX has acknowledged that at least 45.7 million credit and debit
cards were stolen over an 18-month period by hackers who managed to
penetrate its network. The company gave a tally of the damage in a
regulatory filing with the Securities and Exchange Commission (SEC)
last month, and also acknowledged that another 455,000 customers
who returned merchandise without receipts were robbed of their
driver's license numbers and other personal information.
Lang has admitted the full extent of the damage may never be
known because of the attackers' methods. Also, much of the
transaction data was deleted by TJX in the normal course of
business between the time of the thefts and the time they were
discovered, making it impossible to know how many card numbers were
obtained.
Avivah Litan, vice president of research with Stamford,
Conn.-based Gartner Inc., has called the TJX breach the largest
online burglary ever.
By comparison, 26.5 million veterans and active duty personnel
were affected by the
theft of a Department of Veterans Affairs (VA)
laptop and external hard drive last year. And in 2005,
credit card transaction processor
CardSystems Solutions Inc. acknowledged that
hackers had stolen 263,000 customer credit card numbers and
exposed 40 million more to fraud.
TJX acknowledged in January that an attacker
exploited a flaw in a portion of its computer network that
handles credit card, debit card, check, and merchandise return
transactions.
The
TJX breach was worse than first thought. The
company initially believed that attackers had access to its
network between May 2006 and January 2007. However, TJX recently
admitted that thieves were inside the network several other
times, beginning in July 2005. In last month's SEC filing, the
company said the stolen data covers transactions dating back
even further, to December 2002. The Federal Trade Commission
(FTC) is investigating the breach.
TJX violated some of the basic tenets of the
PCI Data Security Standard (PCI DSS),
several PCI auditors told SearchSecurity.com recently, and the
company will pay a heavy financial price. They said companies
should study the TJX security breach for clear lessons on what
not to do with customer data.
The Massachusetts Bankers Association has reported that several
of its member banks have been affected by
fraudulent transactions associated with the TJX
data breach. The stolen data has reportedly been used to
make purchases in Florida, Georgia and Louisiana as well as Hong
Kong and Sweden, for example. In addition, credit card issuers
have contacted at least 60 banks about compromised cards.
Law enforcement officials in Florida, meanwhile, claim thieves
were using customer data from TJX last November for a gift card
scheme -- a month before TJX learned of the breach. Police charged
six people with using the credit card numbers to purchase about $1
million in merchandise with gift cards.
TJX also faces litigation from other groups. The
Arkansas Carpenters Pension Fund -- which owns
4,500 shares of TJX stock -- filed a suit against the
company under a law permitting shareholders to sue for
access to corporate documents in certain cases. The pension fund
wants the records to see whether TJX's board has been doing its
job in overseeing the company's handling of customer data.
In late January,
a West Virginia woman filed a class action
lawsuit against the company accusing it of negligence for
not doing enough to secure customer data and for keeping quiet
about the breach for a month.