Credit card headaches from TJX breach remain

Credit card headaches from TJX breach remain
Credit card headaches from TJX breach remain 

By Se Young Lee
Globe Correspondent 
August 9, 2007

Almost seven months after the biggest security breach of financial data 
in the nation was revealed, some banks still appear to be sorting out 
which of their credit card customers were put at risk.

Retail giant TJX Cos., with headquarters in Framingham, revealed this 
spring that at least 45.7 million credit and debit card numbers were 
compromised by hackers who gained access to the company's computer 
systems in the second half of 2005 as well as from May 2006 to January 
of this year. But some companies, such as Citibank, are still reissuing 
cards for customers whose information may have been exposed.

"As a preventative measure we are in the process of notifying and 
issuing new credit and debit cards to some customers whom we believe may 
be subject to increased risk," Citibank said in a statement yesterday.

Brian Riley, senior research analyst of bank cards for TowerGroup in 
Needham, a financial-services consultant, said such a lengthy delay is 
not unusual because banks might choose to keep tabs on some accounts and 
take action only if they notice unusual activity.

"I can look at all your transactions and say, 'Hey, the guy's never 
shopped at this store before. what's going on?' " Riley said.

Some banks have said information from TJX about the compromised accounts 
has been sporadic since the news first broke.

"I can't remember an example that has had such a magnitude in a 
continued, slow process as this breach," said Daniel Forte, president of 
the Massachusetts Bankers Association, which sued TJX in April to 
recover damages from the costs of reissuing cards and launching other 
measures to protect customers.

But TJX said in a statement that it fulfilled its obligations in January 
and February by providing "extensive numerical payment card information 
to banks and payment card companies."

Chris Harrall, spokesman for MasterCard, declined to say how many of its 
customers' accounts had been compromised and said its investigation was 
ongoing. Bank of America said it reissued credit cards in March because 
of the breach but declined to say how many. Sovereign Bank said it has 
replaced 60,000 credit cards so far.

The overall financial impact of the breach remains unclear. TJX said in 
May that it has spent $25 million because of the security lapse. Some 
analysts estimate the breach may cost more than $1 billion. The firm is 
also under a multistate investigation involving 37 state attorneys 
general as well as an inquiry by the Federal Trade Commission, according 
to filings with regulators.

Copyright 2007 The New York Times Company

Visit the InfoSec News book store! 

Site design & layout copyright © 1986-2014 CodeGods