A year later: TJX breach implications widespread

BOSTON (1/22/08)--It was one year ago last Thursday that the TJX Cos. disclosed the largest credit and debit card data breach in history. The implications of that breach are widespread.

That breach set off a chain of lawsuits from consumers and financial institutions, including credit unions who footed the bill for notifying members and replacing their compromised cards.

It instigated a number of bills in state and federal legislatures to protect consumers' data and make merchants more responsible for the data they handle.

The event, coupled with a significant increase in sophisticated attempts to phish personal information from consumers, also changed the way credit unions and their members deal with security issues. More credit unions are taking precautions by offering credit monitoring identity theft services and security solutions.

The Framingham, Mass.-based retail company, which owns T.J. Maxx and Marshall's, figures the intrusions began in mid-2005 at two Marshall's stores in Miami that had wireless Local Area Networks (LANs).

Eventually at least 45.6 million card numbers were compromised and card companies such as Visa and MasterCard estimate that as many as 94 million cards were exposed.

Computerworld, looking at the one-year anniversary of the breach, said security managers have five take-aways from the incident (Jan. 17):

• Breach disclosures don't always affect a company's revenue or stock prices. Customer and investor confidence in TJX was "largely unshaken." When the breach was disclosed its stock was worth about $30 per share. Its closing price on Thursday was just over $29 per share. Its sales for the 48-week ending Jan. 5 increased 4% from the same period a year ago.

• Breach disclosures are still costly. TJX spent or set aside in the past year about $250 million for costs related to the breach.

• The Payment Card Industry (PCI) Data Security Standard remains a work in flux. The industry's rules require merchants to implement 12 broad security controls for protecting customer data. However, many companies still aren't in compliance. Court documents indicated TJX wasn't compliant with nine of the controls.

• The breach exposed card-payment issues that exist between merchants and their financial institutions and credit card companies. Credit unions and smaller banks have lobbied several state legislatures to pass new laws requiring merchants to reimburse them for the costs involved in notifying member/customers and reissuing cards. Retailers are fighting these bills.

• The perpetrators of the breach are still out there. Only a few people have been arrested for using card numbers stolen during the breach. The hackers are still free and likely will strike again.

Copyright © 2008 - Credit Union National Association, Inc. All rights reserved. Reproduction is prohibited without written consent.