The security breach that hit TJX Companies Inc. is still causing trouble for the U.S. retailer.
Less than a month after TJX disclosed in a Securities and Exchange Commission filing that more than 45 million credit and debit card numbers may have been stolen from its IT systems over an 18-month period, the company is being hit with a class-action law suit seeking "tens of millions of dollars." The Massachusetts Bankers Association, which represents 207 financial institutions, announced that it is filing the suit in federal court in Boston.
The MBA also said in a release that the Connecticut Bankers Association, the Maine Association of Community Banks, and individual banks are joining as co-plaintiffs. Together, the three associations represent nearly 300 banks. Other banks can still join the suit.
TJX is the parent company of T.J. Maxx, Marshall's, HomeGoods, and other retailers. The security breach, which was announced in January, is the largest customer data breach on record.
A statement from the MBA noted that as a result of the TJX breach, there have been "dramatic costs" to financial institutions in their effort to protect cardholders.
"The MBA made a decision to file a class action suit because we believe we are in the best position to achieve success for our members and customers," said Daniel J. Forte, president and CEO of the MBA, in a written release. "With the possible exception of the banks from California that could also decide to join us, our New England institutions have had the most exposure to this massive data breach. We believe TJX has more stores in our region than anywhere else other than California and, of course, it is headquartered here in Massachusetts."
According to the MBA, banks throughout New England continue to receive lists of "hot" cards that have been exposed in the TJX data breach -- more than three months after TJX first disclosed that there had been a problem.
"Protecting consumers is our number one priority," said Lindsey Pinkham, senior VP of the Connecticut Bankers Association, in a written statement. "However, retail data breaches are getting larger and more frequent and we cannot continue to absorb the costs."
TJX discovered the break-in on Dec. 18, and it most likely dates back to July 2005. Thieves working online may have stolen card data from TJX's Framingham, Mass., computer system during the approval process, in which payment data is transmitted to card issuers without being encrypted.