For anyone who thought that 45 million was an absurdly high number of payment cards to be compromised in a data breach, try 94 million.
That’s the total number of cards actually exposed in the breach disclosed by TJX Companies Inc. earlier this year, according to court documents filed Tuesday by a group of banks suing the Framingham, Mass.-based retailer over the compromise.
The filings, made in federal court in Boston, relate to a dispute over whether the multiple financial institutions who are plaintiffs in the case should be treated as a class or whether each bank would be required to pursue individual cases against TJX. The plaintiffs in the case include the Massachusetts Bankers Association, the Connecticut Bankers Association, the Maine Association of Community Banks and AmeriFirst Banks.
In documents arguing for class action status, the banks claimed that the TJX breach affected 94 million separate card holder accounts over a 17-month period — not 45.6 million accounts, as TJX had disclosed. Quoting figures supplied by the card companies themselves, the bankers said that the breach affected approximately 65 million Visa account numbers and an additional 29 million MasterCard accounts. To date, the losses by card-issuing companies on Visa accounts alone total between US$68 and $83 million, the banks said, citing the Visa information.
“Unlike other limited data breaches where ‘pastime hackers’ may have accessed data with no intention to commit fraud, in this case it is beyond doubt that there is an extremely high risk that the compromised data will be used for illegal purposes,” the bankers said in an affidavit. “Faced with overwhelming exposure to losses it created, TJX continues to downplay the seriousness of the situation.”
TJX officials did not immediately respond to a request for comment.
The figures included in the court documents, if accurate, more than double the size of the TJX breach, which had originally been pegged at 45.6 million cards based on estimates from the company. Even that number represented the biggest-ever compromise of payment card data. The next closest data compromise is the mid-2005 breach at CardSystems Solutions, which involved about 40 million cards.
The breach has prompted several lawsuits and investigations by the U.S. Federal Trade Commission and the Attorneys General of several states. An eight-month-long probe of the breach by Canadian privacy commissioners last month blamed TJX for failing to take adequate measures to protect card holder data. The Canadian report came just one day after TJX announced a proposed settlement of consumer class action lawsuits against the company that included credit and ID theft monitoring services and reimbursement of certain costs for affected individuals. At the time, federal Privacy Commissioner Jennifer Stoddart said firms like TJX need to be as transparent as possible about the extent of their data loss.
“When there is any kind of significant breach, the companies should inform privacy commissioners, then inform their clients, customers — all the people affected,” she said. “They need to take proactive steps, like checking credit statements, give services to help them.”
The large discrepancy between the numbers supplied by TJX and those from the banks suggest that TJX did not have the log data needed to do a proper forensic analysis of the incident, said Michael Maloof, chief technology officer at Trigeo Network Security Inc., a vendor of security event management tools in Post Falls, ID. All too often, he said, companies that don’t have processes in place for collecting and storing log data wind up losing the tell-tale tracks left behind by computer intrusions.
Even with that log data, it is often difficult to figure out exactly what might have happened in a breach such as the one at TJX, said Deepak Taneja, CEO of Aveska, a provider of access control technologies. “It’s not an exact science. You use the evidence that is available and try to figure out the extent of the breach and which files [intruders] had access to and how much of the data did they get to.”
Originally, TJX, which owns brands such as TJ Maxx, Marshall’s and Bob’s Stores, disclosed in January only that unknown intruders had accessed its payments systems and pilfered account data belonging to an unknown number of customers in multiple countries. At the time, TJX said it believed the intrusion took place in May 2006, even though it didn’t discover the breach until mid-December 2006. A few weeks later, the company revised those dates and said that an investigation by IBM and General Dynamics, two companies it hired in the wake of the breach discovery, showed the intrusion took place in July 2005.
In filings with the U.S. Securities and Exchange Commission two months later, the company disclosed that 45.6 million cards had been affected. Of that number, the company said it believed about 75% of the cards had expired or had their magnetic stripe data masked.
The breach has prompted several lawsuits and investigations by the U.S. Federal Trade Commission and the Attorneys General of several states. An eight-month-long probe of the breach by Canadian privacy commissioners last month blamed TJX for failing to take adequate measures to protect card holder data. The Canadian report came just one day after TJX announced a proposed settlement of consumer class action lawsuits against the company that included credit and ID theft monitoring services and reimbursement of certain costs for affected individuals.
— with files from Shane Schick