Banks: TJX lost twice as much data as reported

Share this article:

A group of New England banking associations contended in a court filing Tuesday that hackers stole 94 million account numbers when they infiltrated the databases of clothing retailer TJX, the Boston Globe reported today.

That allegation, if true, would increase the extent of the breach by some 50 million credit and debit card numbers – a number that, by itself, would account for the largest reported data loss in U.S. history.

Even before Tuesday's filing, the computer intrusion at TJX, the Framingham, Mass.-based parent of T.J. Maxx and Marshalls, had already been labeled the most harmful reported breach of all time. According to Canadian privacy officials, the thieves burrowed their way in through wireless connections at two Marshalls' stores in Miami.

"These guys are breaking their own records," Michael Maloof, chief technology officer of TriGeo Network Security, a security and event management firm, told today.

But TJX, in a statement, said it "continues to stand by" its original estimate that 45.7 million accounts were stolen in the attack. The company added that three-quarters of those accounts were expired or had their data masked in some capacity when they were stolen, and more than 95 percent were expired by the time the intrusion was discovered last year.

Bruce Spitzer, spokesman for the Massachusetts Bankers Association, one of the plaintiffs suing TJX over fraud costs related to the breach, told today that the Globe report was accurate.

"This is really an important issue for banks and an important issue for consumers," he said, declining to comment further, citing pending litigation.

According to the Globe, the data breach impacted some 65 million Visa account numbers and 29 million MasterCard numbers. The banks, in their filing, cited testimony from the major payment brands. Visa estimated fraud and card reissuing costs would reach $83 million, the filing said.

Maloof said the larger-than-expected number from the banks likely represents the breach's worst-case scenario, as TJX may have been unable to distinguish which specific credit card numbers were compromised.

"My guess is [the 94 million] is everything that was on the machines where there was evidence they were compromised," he said. "They have to assume all of the data was tainted."

TJX's statement added that it believes its second-quarter $107 million reserve "will cover all cash losses and costs resulting from all litigation related to the computer intrusion." Some analysts, however, believe the loss could turn out to be several hundred million dollars more.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.