Banks Report Fraud Spurred By TJX Breach

The Massachusetts Bankers Association reports that regional companies are already experiencing fraud based on the massive data reach reported by retail chain TJX.

BOSTON—Banking industry officials in Massachusetts are reporting that a string of local companies have already observed fraudulent activity related to the massive data breach reported by retail chain TJX Companies on Jan. 17.

Unlike many other highly publicized data losses reported by organizations such as the United States Department of Veterans Affairs, which have not yet been traced to any criminal activity, the information stolen from TJX during two specific incidents in 2003 and 2006 has already been put to use by fraudsters, according to the MBA (Massachusetts Bankers Association).

The MBA reported on Jan. 24 that several banks in the state, which is also home to the TJX corporate headquarters in Framingham, have reported incidents of fraud specifically related to the information that was lifted from the retailers IT systems by unidentified outsiders.

The banking industry group said that it has received reports of fraud carried out on debit and credit card accounts exposed in the data heist in locations including Florida, Georgia, and Louisiana in the United States, and Hong Kong and Sweden overseas. The widespread nature of the criminal activity could indicate that the data has already been passed from the hackers who stole it to people around the globe intent on using it to carry out fraud, a common scenario for the use of stolen personal information.

Several banks doing business in Massachusetts have already reissued credit and debit cards to customers, including Fitchburg Savings Bank, which reported that more than 1,300 of its customers may have been exposed by the TJX incident. Bank of America, the countrys largest retail bank, based in Charlotte, N.C., also confirmed that it is reissuing cards to account holders, although it did not indicate how many of its customers had been affected.

The MBA said that almost 60 local banks have reported contact with credit card providers about compromised accounts, and officials indicated that the financial services companies are notifying customers and reissuing new cards to many people. The industry group is further cautioning that the number of affected individuals is likely to grow higher as, thus far, less than half of the 205 banks in Massachusetts have reported into the MBA about the situation.

Banks in Vermont and Canada have also reported contact with credit card companies related to the breach.

On Jan. 17, TJX, which operates a handful of North American and European retail chains including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright, reported that a computer systems intrusion may have compromised the personal data of an undetermined number of customers.

TJX officials said that outsiders were specifically able to gain access to the portion of its computer network that retains its customers credit card, debit card and check information, along with data related to merchandise return transactions.

The information involved was drawn from the companys T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico, along with its Winners and HomeSense stores in Canada.

TJX officials said the data theft may also affect customers of its T.J. Maxx stores in the United Kingdom and Ireland, as well as its Bobs Stores chain in the United States. TJX operates an estimated 2,500 retail locations in total.

While the company did not reveal how many customers may be affected by the incident, TJX officials said that a majority of the data involved is related to individuals who shopped at its stores in the United States, Canada and Puerto Rico during 2003, and between May and December 2006.

Company officials said that they have been able to isolate a limited number of credit and debit cardholders whose information was removed from its systems, as well as a smaller group of people whose drivers license details were stolen.

/zimages/3/28571.gifIs the only way to protect yourself to adopt a cash-only mentality? Click here to read more.

In addition to working with all major credit and debit card companies to help investigate any related fraud, along with law enforcement officials including the U.S. Department of Justice, U.S. Secret Service and the Royal Canadian Mounted Police, TJX officials said the company has directly contacted individuals whose information was known to have been exposed via the intrusion and is offering additional customer support to people concerned that their data may have been compromised.

TJX officials said the company kept a lid on the details of the intrusion up until recently at the request of law enforcement officials. This quiet period has become a common practice as investigators attempt to gather evidence of data incidents before details of the events are made public, but some privacy experts have called for shorter delays in the process in the name of helping consumers protect themselves against fraud.


Based on the nature of the breach, and the companys delay in reporting the incident, some experts maintain that TJX was not taking sufficient steps to protect the customer data and should therefore be held liable for any related fraud.

For its part, the MBA is already pushing for new legislation and card association rule changes that would mandate the quick disclosure of data breaches involving personally identifiable information, and place financial liability with the company responsible for the incidents.

While TJX reported the breach publicly, Massachusetts does not currently have a law on the books similar to California 1886, which requires companies in that state to disclose any exposure of sensitive customer data.

Over the last two years, more than 30 U.S. states have adopted similar measures, and Massachusetts lawmakers are planning to reintroduce legislation in 2007 that requires companies both to take additional steps to protect such information and to inform consumers within five business days after a breach is detected.

In addition to helping individuals protect themselves against criminal activity, such requirements would help spare people unsure if their data was involved in a breach from seeking new credit cards, MBA officials said.

"By not disclosing which firm caused the breach, or quickly disclosing it, consumers are needlessly troubled and might feel compelled to take unwarranted action if theyre left in the dark," Daniel J. Forte, chief executive of the MBA, said in a statement. "We hope that long-term, this approach would be the additional motivation that retailers need to enhance the security of their systems and protect consumers, as well as your local bank, which bears the cost for replacing cards and covering the fraud for customers."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.