As the massive data breach at the TJX Cos. continues to play itself out in court, more details are emerging as the case shifts to how banks can recoup the costs of reissuing credit cards.
TJX may have discovered that its systems were breached as early as October of 2006, two months earlier than it disclosed, according to a report in the Boston Globe of the ongoing dispute being played out in court. A bank executive at a court hearing disclosed that Discover payment cards informed TJX of a problem in October, but it took four weeks for the retailer to get security pros in place to investigate the matter.
The Framingham, Mass. retailer is defending itself from banks trying to recoup the costs of reissuing credit cards following its data security breach that compromised as many as 45.7 million credit cards. A federal judge overseeing the lawsuit, brought on by a group of New England and Alabama banks, on Tuesday sent the case to Massachusetts state court to work out a remedy. The banks plan to appeal an earlier ruling rejecting class action status for the dispute.
The banks that are suing TJX claim that more than 94 million accounts were compromised in the breach TJX first disclosed in January. That number includes 65 million Visa account numbers and 29 million MasterCard numbers.
Meanwhile, TJX is offering to pay Visa card issuers $40.9 million to compensate for costs connected to the breach. The offer, which is being called an "alternative recovery" program, is being supported by Visa. Banks have until Dec. 19 to decide whether to accept the offer.
Meanwhile, a second report on the TJX breach investigation is expected to be released by U.S. investigators early next year. In a report issued by Canadian privacy officials released in September, TJX was criticized for collecting far too much consumer data for far too long while failing to upgrade its Wi-Fi security to the stronger WPA encryption protocol.