In a move that was widely expected, three New England banking associations and some individual banks announced they will sue TJX Companies Inc. over the data breach that exposed at least 45.7 million credit and debit card holders to identity fraud.
Banks have suffered a heavy financial toll over the breach, having to shell out a significant sum of money to replace compromised cards and cover fraudulent charges traced back to the TJX incident.
The Massachusetts Bankers Association, Connecticut Bankers Association, Maine Association of Community Banks and some individual banks will file the lawsuit in U.S. District Court in Boston Wednesday. Nearly 300 banks are represented by the New England associations.
Dan Forte, president and chief executive of the Massachusetts Bankers Association, told the Associated Press (AP) that his organization will invite other state bank groups from around the country to join the lawsuit, which seeks class-action status.
The suit will argue that TJX failed to protect customer data with adequate security measures, and that the Framingham, Mass.-based retail giant was less than honest about how it handled data.
TJX spokeswoman Sherry Lang told the AP that the company doesn't comment on pending litigation, except to say that "TJX will defend itself vigorously."
TJX has acknowledged that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The company gave a tally of the damage in a regulatory filing with the Securities and Exchange Commission (SEC) last month, and also acknowledged that another 455,000 customers who returned merchandise without receipts were robbed of their driver's license numbers and other personal information.
Lang has admitted the full extent of the damage may never be known because of the attackers' methods. Also, much of the transaction data was deleted by TJX in the normal course of business between the time of the thefts and the time they were discovered, making it impossible to know how many card numbers were obtained.
Avivah Litan, vice president of research with Stamford, Conn.-based Gartner Inc., has called the TJX breach the largest online burglary ever.
By comparison, 26.5 million veterans and active duty personnel were affected by the theft of a Department of Veterans Affairs (VA) laptop and external hard drive last year. And in 2005, credit card transaction processor CardSystems Solutions Inc. acknowledged that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more to fraud.
TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions.
The TJX breach was worse than first thought. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, TJX recently admitted that thieves were inside the network several other times, beginning in July 2005. In last month's SEC filing, the company said the stolen data covers transactions dating back even further, to December 2002. The Federal Trade Commission (FTC) is investigating the breach.
TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS), several PCI auditors told SearchSecurity.com recently, and the company will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.
The Massachusetts Bankers Association has reported that several of its member banks have been affected by fraudulent transactions associated with the TJX data breach. The stolen data has reportedly been used to make purchases in Florida, Georgia and Louisiana as well as Hong Kong and Sweden, for example. In addition, credit card issuers have contacted at least 60 banks about compromised cards.
Law enforcement officials in Florida, meanwhile, claim thieves were using customer data from TJX last November for a gift card scheme -- a month before TJX learned of the breach. Police charged six people with using the credit card numbers to purchase about $1 million in merchandise with gift cards.
TJX also faces litigation from other groups. The Arkansas Carpenters Pension Fund -- which owns 4,500 shares of TJX stock -- filed a suit against the company under a law permitting shareholders to sue for access to corporate documents in certain cases. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data.
In late January, a West Virginia woman filed a class action lawsuit against the company accusing it of negligence for not doing enough to secure customer data and for keeping quiet about the breach for a month.