Stolen customer data from retailer TJX Companies Inc. has been used to make credit card purchases around the globe, according to an association that represents more than 200 banks in Massachusetts.
The Massachusetts Bankers Association said Wednesday that several of its member banks reported fraudulent transactions associated with the data breach at TJX stores. The stolen data was used to make purchases in Florida, Georgia and Louisiana as well as Hong Kong and Sweden, the trade group said.
In addition, credit card issuers have contacted 60 banks about compromised cards, the bankers association said.
The association is also supporting legislation and card association rule changes in Massachusetts that would bolster disclosure rules for companies that have a data breach, and place the financial liability with that company as well.
"By not disclosing which firm caused the breach, or quickly disclosing it, consumers are needlessly troubled and might feel compelled to take unwarranted action if they're left in the dark," said Daniel J. Forte, CEO and president of the MBA in a statement.
Framingham, Mass.-based TJX announced on Jan. 17 that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The intrusion may involve customers of its T.K. Maxx stores in the U.K. and Ireland and could also extend to TJX's Bob's Stores in the U.S., the company said.
The breach took place in 2003 and from May-December in 2006, the retailer said. The size and scope of the breach has not been announced, but experts say millions of customers may have been affected. The discovery was made in December, but the retailer said investigators asked to delay an immediate announcement of the breach during the initial part of the investigation.
Experts say that data encryption techniques may have helped avoid the data breach at TJX. While data encryption is an additional expense for companies, the costs associated with a data breach, including a loss of customer confidence can be catastrophic, said Larry Ponemon, founder and chairman of the Ponemon Institute.
"Encryption would solve a lot of the problems that we see today," Ponemon said. "It's not as sophisticated a technology as we'd like to believe, but it does the job because even though criminals are getting smarter, they're not as smart as we'd like to think."