By Se Young Lee
August 9, 2007
Almost seven months after the biggest security breach of financial data
in the nation was revealed, some banks still appear to be sorting out
which of their credit card customers were put at risk.
Retail giant TJX Cos., with headquarters in Framingham, revealed this
spring that at least 45.7 million credit and debit card numbers were
compromised by hackers who gained access to the company's computer
systems in the second half of 2005 as well as from May 2006 to January
of this year. But some companies, such as Citibank, are still reissuing
cards for customers whose information may have been exposed.
"As a preventative measure we are in the process of notifying and
issuing new credit and debit cards to some customers whom we believe may
be subject to increased risk," Citibank said in a statement yesterday.
Brian Riley, senior research analyst of bank cards for TowerGroup in
Needham, a financial-services consultant, said such a lengthy delay is
not unusual because banks might choose to keep tabs on some accounts and
take action only if they notice unusual activity.
"I can look at all your transactions and say, 'Hey, the guy's never
shopped at this store before. what's going on?' " Riley said.
Some banks have said information from TJX about the compromised accounts
has been sporadic since the news first broke.
"I can't remember an example that has had such a magnitude in a
continued, slow process as this breach," said Daniel Forte, president of
the Massachusetts Bankers Association, which sued TJX in April to
recover damages from the costs of reissuing cards and launching other
measures to protect customers.
But TJX said in a statement that it fulfilled its obligations in January
and February by providing "extensive numerical payment card information
to banks and payment card companies."
Chris Harrall, spokesman for MasterCard, declined to say how many of its
customers' accounts had been compromised and said its investigation was
ongoing. Bank of America said it reissued credit cards in March because
of the breach but declined to say how many. Sovereign Bank said it has
replaced 60,000 credit cards so far.
The overall financial impact of the breach remains unclear. TJX said in
May that it has spent $25 million because of the security lapse. Some
analysts estimate the breach may cost more than $1 billion. The firm is
also under a multistate investigation involving 37 state attorneys
general as well as an inquiry by the Federal Trade Commission, according
to filings with regulators.
Copyright 2007 The New York Times Company
Visit the InfoSec News book store!