Banks file suit against TJX over breach costs

Share this article:

Three state banking associations announced Tuesday that they have filed a joint lawsuit against TJX Companies over "dramatic costs" their 300 members have incurred since the discount retailer announced that hackers infiltrated its processing systems, exposing some 45 million credit card numbers.

The Massachusetts Bankers Association (MBA), the Maine Association of Community Banks, and the Connecticut Bankers Association are co-plaintiffs in the lawsuit against Framingham, Mass.-based TJX.

The company, which operates about 2,500 stores including Marshalls and T.J. Maxx outlets, revealed late last month that hackers stole 45.7 million pieces of data when they illegally accessed TJX databases during 2005 and 2006.

Merchant banks have been forced to cover replacement cards — up to $25 each — as well as any costs associated with fraudulent purchases, the MBA said in a statement. The organization has previously said the stolen data was used for purchases in Florida, Georgia, Louisiana, Hong Kong and Sweden.

"Cases of fraud due to the TJX breach have been reported all over the world," the statement said. "At the time that the MBA is filing this lawsuit, banks throughout New England continue to receive lists of ‘hot' cards that have been exposed in the TJX data breach, more than three months after TJX first disclosed the problem."

Daniel Forte, president and CEO of the MBA, said the three banking associations are seeking the recovery of "tens of millions of dollars" in damages.

The lawsuit could have merit if TJX acted with negligence, Forrester vice president and research director Jonathan Penn told today.

"That's the burden they're going to face in this suit," he said.

Andy Serwin, a San Diego lawyer specializing in data privacy and security, told that in his experience, many lawsuits similar to this one get tossed out in court. He said it is difficult for plaintiffs to make a case because many of the laws governing electronic privacy allegations have yet to be fully understood.

"The states are all over the place," he said. "You're applying old law to situations that were never anticipated. Where the line is going to get drawn ultimately, it's not that clear yet."

He said some states will let retailers off the hook if a criminal act caused the data exposure.

"Ultimately, we're going to see new insurance products out there to deal with risk," Serwin said.

A legal debate such as this may soon be unnecessary in Massachusetts. State lawmakers have proposed a bill that makes retailers responsible for data losses.

A TJX spokesperson could not immediately be reached for comment.

Click here to email reporter Dan Kaplan.

Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.