Upon Further Review, Accounts Exposed in TJX Breach Double

Sources reached by Digital Transactions News aren't surprised at the news that the number of credit and debit card accounts affected in the TJX Cos. breach has doubled, as disclosed by court filings and reported this week by The Boston Globe. Although the off-price retailing chain reported in March that 45.7 million accounts had been compromised, the number is actually about 94 million, the Globe reported, citing documents filed in federal court as part of a legal dispute between TJX and banks seeking to consolidate separate breach-related lawsuits against the merchant. Some 65 million Visa and 29 million MasterCard accounts were involved in the breach, according to the financial institutions suing Framingham, Mass.-based TJX, the Globe account says. Other press reports this week said the 94 million figure could go even higher as networks and issuers continue to watch for signs of fraud originating with the breach. Citing a Visa executive's testimony, Visa issuers alone have suffered $68 million to $83 million in fraud losses stemming from the breach, according to the Globe account. A Visa spokesperson says Visa would not comment on the filing. So far no perpetrator has been charged in the breach, which TJX first disclosed in January, though authorities in Miami have won guilty pleas from six individuals charged with using phony cards with numbers taken in the breach. The Globe said the new numbers were revealed in sealed testimony given by executives of the two payment networks. The testimony was given in court proceedings as financial institutions and bank trade groups seek to consolidate separate lawsuits against TJX into a class action in U.S. District Court in Boston. TJX opposes the consolidation. An industry source who asked not to be identified tells Digital Transactions News the earlier figure was “not conclusive” despite the play it got in the media. Other sources agree, adding the new, higher number results from more complete investigations since March. “I think the discrepancy is caused by the fact that all of the numbers weren't reported in the past,” technology analyst Avivah Litan of Stamford, Conn.-based Gartner Inc. tells Digital Transactions News via e-mail. “The additional account numbers are the result of forensics investigations done separately by Visa and MasterCard and others.” TJX, owner of the T.J. Maxx, Marshalls, and other chains, is not commenting on pending litigation, but the company's Web site still cites the lower number. TJX has maintained that 75% of the exposed account numbers were expired or did not contain security codes from the cards' magnetic stripes, but Thursday's Boston Globe says the company now claims 95% of the cards were expired when it discovered the breach in late 2006. Citing another filing in the case, the Globe on Thursday reported that Joel Lisker, a former top MasterCard security executive, reviewed a TJX report by Chicago-based Trustwave, a data-security assessor, and determined that TJX met just three of 12 major card-network requirements for protecting data. Lisker is now a Washington, D.C., lawyer working for the banking plaintiffs, the newspaper said. Among other vulnerabilities, Lisker in his court statement said TJX's computer system lacked proper firewalls to prevent intruders from getting access to and extracting data from its servers. Investigators suspect the hacker or hackers first gained access through wireless systems at two Miami-area stores, through which they were able to penetrate computers at TJX headquarters. On a related front, Visa late Wednesday reported that 65% of its largest merchants?so-called Level 1 merchants submitting 6 million or more Visa transactions annually?had validated compliance with the Payment Card Industry data-security standard (PCI) by the end of September, up from 36% last December. As of Aug. 31, some 44% of 327 Level 1 merchants had validated compliance and another 54% had submitted plans but needed to make remedial changes before they would be accepted (Digital Transactions News, Oct. 2). That means approximately 69 merchants attained full compliance in just one month. Visa had set a Sept. 30 deadline for Level 1 merchants to achieve PCI compliance, with merchant acquirers facing fines of $25,000 a month for each of their non-validated merchants. Visa hasn't said if it has actually fined any acquirer. PCI Compliance among Level 2 merchants, those originating 1 million to 6 million Visa transactions a year, grew to 43% as of Sept. 30 from 15% in December. Level 2 merchants have until Dec. 31 to validate compliance. The number of Level 1 and 2 merchants that had submitted PCI plans but need some remediation as of Sept. 30 wasn't immediately available. Level 1 and Level 2 merchants originate about two-thirds of Visa transactions. Visa also said in a release that 99% of Level 1 and 2 merchants confirmed they are not storing prohibited account data such as magnetic-stripe (also known as track data), CVV2 (the security code on the back of the card) and PIN data. In addition, all of Visa's active acquirers have submitted plans for identifying data-protection risks among the smallest?so-called Level 4?merchants, and to develop PCI education programs for them, according to Visa.