Data Breach UPDATE - TJX Companies
20+ Million Records Breached
The actual depth and breadth of the TJX breach is now becoming fully known - piecemeal. While TJX appeared to have been claiming it was a victim in this breach, they understated the impact of the breach and purposefully understated their culpability in this breach. Updates from some media sources put the breach from TJX at over 20 million victims. Data that was illegally released includes credit card numbers, CVV Codes, drivers license numbers, address and phone numbers of customers. This information is specifically prohibited from being collected and stored in the manner in which it was archived at TJX by PCI-DSS (the Payment Card Industry - Data Security Standard). The collection and illegal dissemination of drivers license, and other individual identifiable data with these records may expose TJX to additional liability through civil and criminal penalties, lawsuits, and other punative measures. Why in the hell was TJX archiving the full contact records and credit card information for over 20 million people in the first place and what were they thinking by storing it on an un-encrypted computer on their network? The full depth and breadth of the stupidity involved in this breach is leaking bit-by-bit to the media. What is even more frightening is that the information stolen from TJX is now VERIFIED as being used by Identity Thieves and the sheer numbers of potential victims is staggering. We will have further updates as they are available on what could be the single largest commercial breach of all time with verified identity theft.
Massachusetts Bankers Association Responds to TJX Companies Data Breach
Governing Privacy Law or Rule - PCI-DSS, State Laws, Federal Wire Fraud
BOSTON--(BUSINESS WIRE)--The Massachusetts Bankers Association:
- MasterCard now Reporting Data Breaches to Banks
- Thus far, 28 Massachusetts Banks Report Compromised Cards
- Work of MBA Task Force is Underscored
- Has TJX been “Victimized?”
- Advice for Cardholders
After surveying its banks, the MBA is reporting that thus far 28 banks have been contacted by the card associations indicating that some of their card holders have had personal information that may have been exposed due to the TJX data breach. The MBA is cautioning, however, that the number is likely to grow higher as, thus far, only 48 out of 205 banks in Massachusetts have reported in to the Association.
In addition, the MBA is questioning the TJX’s self-characterization as being “victimized” by the intrusion in a news release issued yesterday by the retailer.
Daniel J. Forte, CEO and president of the MBA said, “We think it’s a little odd that they would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary.”
Retailers, upon processing a debit or credit card purchase -- that is, verifying that the information on a card is correct, and that customers have money or credit in their accounts -- are prohibited by card network rules from retaining that information. “After the transaction clears,” said Forte, “there is no reason to store any data.”
TJX has not indicated what data it routinely captures, but the range of problematic data includes account numbers, expiration dates, personal identification numbers, and other verification information. “The company did indicate,” said Forte, “that driver’s license information may have been captured and exposed.”
Two years ago, after a data breach that occurred at BJ’s Wholesales Club, the MBA established the New England Debit Card Task Force. The group, consisting of the banking trade associations from the New England states, individual community bankers, representatives from the American Bankers Association, the America’s Community Bankers, the Independent Community Bankers of America, and the California Bankers Association, has been meeting frequently to address this very issue and develop ways to moderate fraud.
The task force has worked closely with Visa and Mastercard, engaging in dialogue centered on protecting consumers and seeking to moderate the impact and the costs that banks must bear when such data breaches occur.
“Visa and MasterCard have both been increasing fines and penalties for retailers when violations such as this are uncovered,” said Forte.
“Moreover, in Massachusetts,” added Forte, “through the work of the Debit Card Task Force, we have been leading an effort to manage the impact of fraud on consumers and our banks when it occurs due to a retailer’s data breach. We are strongly supporting recent legislation in Massachusetts that would place the liability for the expenses that banks must bear in the hands of the retailers at fault. We hope that long term, this approach would be the motivation that retailers need to enhance the security of their systems and protect consumers, as well as your local bank. While expensive for all banks, Ninety-five percent of the banks in Massachusetts are community banks, and these costs can be particularly tough for smaller banks and credit unions to absorb.”
Forte explained that when a bank must issue new cards due to a retailer’s data breach, it can add up to a significant expense considering that thousands of cards could be involved. “MasterCard, and now Visa, has in place a process for banks to make claims for the cost of re-issuing cards,” he said, “however, there is no guarantee that the full amount will be reimbursed. Additionally, there is the fraud issue. If a fraud does take place, MasterCard and Visa have a zero liability policy in place for the benefit of consumers, which is good. However, the cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules resulting in fraud. Does this make sense?”
Forte added, “Bottom line, we believe it is critical that the card associations – Visa, MasterCard, etc. – and public officials carefully evaluate whether retailers should be held liable for a data breach, particularly when the information being stored is in violation of card network rules.”
The New England Debit Card Task Force, following the breach involving BJ’s Wholesale Club, began advocating a number of steps to enhance security. Its major recommendations include:
1) Notification – Giving banks the ability to notify customers on a timely basis;
2) Liability for the Fraud – Retailers should be held accountable, at present banks absorb the cost;
3) Full Reimbursement for card re-issue – This cost if not fully covered can be significant for banks;
4) Stronger Encryption Standards and Data Capture Limits – a must to protect consumers.
Although the MBA expects the number of banks and exposed cardholders in the TJX incident to rise, the MBA is telling customers not to worry. “You may not be in the affected group,” said Forte. “There is no reason to contact your bank. It will reach out to you if there is a problem. This is a situation that was not caused by your bank but you should know, if your information was exposed, we are working hard on your behalf. If you are notified that you are in the impacted group, remember just because your data was exposed, fraud may not occur. Nonetheless, it’s a good idea to check your statements and balances regularly, and order a credit report which you can receive free of charge once a year.”
The Massachusetts Bankers Association represents 205 commercial, savings and co-operative banks and savings and loan institutions in Massachusetts and elsewhere in New England.
Massachusetts Bankers Association, Inc.
73 Tremont Street, Suite 306
Boston, MA 02108-3906
Tel: 617-523-7595 / Fax: 617-523-6373