A group of New England banking associations contended in a court filing Tuesday that hackers stole 94 million account numbers when they infiltrated the databases of clothing retailer TJX, the Boston Globe reported today.
That allegation, if true, would increase the extent of the breach by some 50 million credit and debit card numbers – a number that, by itself, would account for the largest reported data loss in U.S. history.
Even before Tuesday's filing, the computer intrusion at TJX, the Framingham, Mass.-based parent of T.J. Maxx and Marshalls, had already been labeled the most harmful reported breach of all time. According to Canadian privacy officials, the thieves burrowed their way in through wireless connections at two Marshalls' stores in Miami.
"These guys are breaking their own records," Michael Maloof, chief technology officer of TriGeo Network Security, a security and event management firm, told SCMagazineUS.com today.
But TJX, in a statement, said it "continues to stand by" its original estimate that 45.7 million accounts were stolen in the attack. The company added that three-quarters of those accounts were expired or had their data masked in some capacity when they were stolen, and more than 95 percent were expired by the time the intrusion was discovered last year.
Bruce Spitzer, spokesman for the Massachusetts Bankers Association, one of the plaintiffs suing TJX over fraud costs related to the breach, told SCMagazineUS.com today that the Globe report was accurate.
"This is really an important issue for banks and an important issue for consumers," he said, declining to comment further, citing pending litigation.
According to the Globe, the data breach impacted some 65 million Visa account numbers and 29 million MasterCard numbers. The banks, in their filing, cited testimony from the major payment brands. Visa estimated fraud and card reissuing costs would reach $83 million, the filing said.
Maloof said the larger-than-expected number from the banks likely represents the breach's worst-case scenario, as TJX may have been unable to distinguish which specific credit card numbers were compromised.
"My guess is [the 94 million] is everything that was on the machines where there was evidence they were compromised," he said. "They have to assume all of the data was tainted."
TJX's statement added that it believes its second-quarter $107 million reserve "will cover all cash losses and costs resulting from all litigation related to the computer intrusion." Some analysts, however, believe the loss could turn out to be several hundred million dollars more.