The extent of the damage from the breach of personal data contained in TJX Company's computer systems has yet to be fully quantified. As fraudulent purchases from the data breach reach to Hong Kong, consumers and banks cry foul. The experience contains a warning for any retailer that fails to secure personal data.
Less than a week after the giant discount retail firm, based in Framingham, MA disclosed that hackers had stolen customer information, the Massachusetts Bankers Association (MBA) reported, "Nearly 50 banks have been contacted by the card associations, indicating that some of the banks' cardholders have had personal information that may have been exposed."
Two days later, MBA said that the number of banks contacted by card companies had risen to 60, and cautioned that the number could grow, "Because the situation is such a moving target." In the same statement, MBA said that fraudulent use of debit and credit card data had so far been used to make purchases in Florida, Georgia, Louisiana, Hong Kong and Sweden. No culprit has been identified.
TJX operates 821 TJ Maxx, 748 Marshalls, 270 HomeGoods, 129 AJ Wright and 36 Bob's Stores in the U.S.; 184 Winners and 68 HomeSense stores in Canada, and 212 TK Maxx stores in Europe. On January 17, it announced that, "It has suffered an unauthorized intrusion into its computerized systems that process and store information related to customer transactions."
The intrusion was discovered in mid December, and it applied to portions of stored information during 2003, and between mid May through December 2006. TJX principals claim that the month long delay in disclosing the breach was on the advice of law enforcement officials, which it contacted when the breach was detected.
However, consumers and some of the lawyers representing them are cynical, and suggested the retailer didn't want to dampen holiday shopping. The company has not provided an estimate of how many customers were affected. Following a report in the Wall Street Journal suggesting that more than 40 million cards may be affected, a spokesperson said it, "was substantially less than millions."
Small and large banks, including JPMorgan Chase & Co., CitiGroup and Bank of America, have been reissuing cards, either as a preventive measure or on the request of customers. Reissuing a card costs banks between $3 and $15 each.
Daniel Forte, CEO and president of MBA, notes in a statement that, although the local bank, "Did not cause this problem," it is the local bank, "which bears the cost for replacing cards and covering the fraud for customers." MBA supports legislation and card association rule changes that would mandate quick disclosure of a breach, and place financial liability on that company (from which information was fraudulently obtained).
Forte also questions TJX's characterization in a news release, as being "victimized" by the intrusion. "We think it's a little odd that they would characterize themselves as victims, when it appears that they may have been capturing data that is unnecessary."
Visa and MasterCard subscribe to a Payment Card Industry Data Security Standard that covers both the type of customer information companies can collect and the length of time customer information can be stored. These card companies can issue fines for non-compliance, and have done so in the past. At least publicly, it is unclear whether or not TJX was in compliance.
AmeriFirst Bank, based in Union Springs, AL, has filed a class action lawsuit against TJX, seeking to recover the costs of replacing cards and covering fraudulent purchases. The Lamb Firm LLC and Whatley Drake & Kallas LLC, based in Birmingham, AL and Boston, MA, have also filed class action suits against TJX Co. and against Fifth Third Bank, based in Cincinnati, OH, the sponsoring bank that handles TJX's accounts.
According to a joint statement by the law firms, the suit, "Seeks protection and damages for the millions of unwitting customers injured by the failure of the defendants, as well as protection and indemnification for the hundreds of banks affected."
"The magnitude of this failure by TJX and the Fifth Third Bank is international in its reach, with the full extent of damages unknown until independent experts can investigate all of the issues," says primary counsel Archie Lamb, in a statement. "It is apparent the costs to customers and banks will be enormous," he adds.
Joe Whatley, lead counsel at his firm, says, "This litigation seeks to ensure that those responsible for this massive failure to secure private information of unwitting consumers are also responsible for the cost to remedy the problem."
Yet another class action suit was filed jointly by the firms of Berger & Montague PC and Stern Shapiro Weissberg & Garin LLP, based in Philadelphia, on behalf of consumers exposed to identity theft as a result of the hacker's TJX intrusion. It charges that TJX was negligent in failing to maintain adequate computer data security. In a statement, they say, "Hundreds of thousands or even millions of (TJX) customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages." The complaint also charges that the delay in announcing the breach harmed class members by preventing them from taking appropriate measures to protect their accounts.
TJX is at the head of a crowd of banks and associations urging customers to monitor their credit card statements. In a full page ad in the Boston Globe, on its website and in a letter to customers, Ben Cammarata, TJX chairman, says, "How deeply I regret any difficulties our customers may experience due to this incident." The retailer has established a helpline and updated FAQs on its website.
TJX said it expected to record a charge of a penny a share for costs related to the, "unauthorized intrusion." Beyond that, it said, "TJX does not have enough information to reasonably estimate losses it may incur."
Entire contents ©2017, Sumner Communications, Inc. (203)
748-2050. All rights reserved. No part of this service may be
any form without the express written permission of Sumner Communications,
Inc. except that an individual may download and/or forward articles
to a reasonable number of recipients for personal,