Hack Attack Means Headaches For TJ Maxx

Fallout from a hacker attack on the IT systems of TJX, whose properties include T.J. Maxx, Marshalls, and HomeGoods retail stores, intensified last week, as credit card fraud related to the incident was reported in several states and outside the United States, and as lawsuits were launched against the company, including a consumer class-action suit.

The attack, which was reported two weeks ago, is taking a financial toll on TJX. The company said last week it will record a fourth-quarter charge of 1 cent per share, or about $4.5 million, related to the hack, including the costs to investigate and contain the intrusion, enhance computer security, and communicate with customers. Things are likely to get worse, as a number of documents sent by Visa to financial institutions that issue cards and manage Visa transactions indicate TJX was storing credit and debit card data in violation of the Payment Card Industry Data Security Standard created by Visa and MasterCard.

Merchants like TJX aren't supposed to store cardholder data because a thief can use that information to create a counterfeit credit or debit card. "I can see storing data for a few hours or a day until transactions clear, but some of the stolen data goes back to 2003," says an executive at a California credit union that issues Visa cards and has been stung by the TJX hack. "That's a long time to be out of compliance."

TJX was storing customer information that's recorded on Track 2 of a Visa card's magnetic stripe, which generally includes the account number, the expiration date, and the card verification value, a three- or four-digit code that's used to verify the card's authenticity. That data is enough for crooks to make fake cards and run up charges. Track 1 is where alphanumeric data, including the cardholder's name and address, is recorded; apparently TJX wasn't storing that data.

Hence, chairman and founder Ben Cammarata's assertion, in a video on the company's Web site, that customer names and personal identification numbers weren't compromised. "It would be unlikely for cyberthieves to commit identity fraud using the information taken," Cammarata said. As a result, TJX has no plans to offer credit monitoring services for its customers. "Credit monitoring does not detect fraudulent charges on your credit and debit accounts," he said.

SIN OF OMISSION

TJX didn't respond to requests for interviews. But one analyst says it's unlikely that TJX was intentionally storing the data. "It's usually a problem with the legacy systems these companies are using," says Gartner research director Avivah Litan. "These systems were put in place years ago when there was no thought given to cyberattacks. No one would ever program a system like that today."

More than 60 banks in Massachusetts have reported compromises of customer accounts as a result of the security breach, and that figure is expected to grow, according to the Massachusetts Bankers Asso- ciation. Despite the fact that TJX says the hack occurred in December, the California credit union executive started see- ing an increase in counterfeit cards used to commit fraudulent transactions before then. And, according to a Jan. 23 e-mail distributed to financial institutions by Visa's director of fraud control, there's been an increase in fraud activity on certain TJX accounts since mid-November, particularly in California, Florida, Illinois, New York, and Texas. The credit union executive says it's unclear just how much the TJX data breach will cost his organization. In addition to the fraudulent charges it must absorb, the credit union is issuing new cards for any cardholder accounts Visa says were affected by the TJX compromise, which costs a few dollars per card. As an issuer of Visa cards, the credit union--not Visa or TJX--is on the hook to pay for any fraudulent transactions charged to members' accounts.

The lawsuits are starting to fly, alleging that TJX and one of its credit card partners, Fifth Third Bank, failed to secure the personal data of millions of customers. A class-action lawsuit was filed last week in U.S. District Court for the District of Massachusetts on behalf of several banks affected by the breach, including AmeriFirst Bank of Union Springs, Ala. A consumer-based class-action suit was filed Jan. 19 in U.S. District Court for the Northern District of Alabama.

Fifth Third Bank is one of TJX's merchant banks, which provide the financial network and card readers that let stores accept credit and debit card purchases. Visa can fine merchant banks up to $500,000 if one of the stores they do business with violates the PCI rules. Last year, Visa assessed $4.6 million in PCI fines, up from $3.4 million in 2005.

Visa is tightening the noose around PCI slackers. Banks will be fined up to $25,000 a month for each of their largest merchants--those that process more than 1 million Visa transactions annually--that doesn't comply with PCI rules by the end of this year. Storing data is a particular no-no; banks must assure Visa by March 31 that their merchants aren't storing data such as that on a card's magnetic strip, the card verification value, or PIN data, or they can be fined up to $10,000 a month per merchant.

Retailers like TJX and the banks that enable them to process credit and debit transactions should be aware of the consequences of poor security practices, given recent history. In 2005, Visa and MasterCard said account data for 36 million cardholders that was being stored by CardSystems, a credit card processor, had been stolen in a hack. The breach, and resultant bad publicity, put the company out of business. A year ago, a hack into a merchant system storing PIN data forced Bank of America, Citigroup, Washington Mutual, Wells Fargo, and some smaller banks and credit unions to temporarily shut down PIN-based transactions and reissue debit cards. Now the Massachusetts Bankers Association is supporting legislation and card association rule changes that would identify the company breached and place the financial liability with that company.

Gartner's Litan recommends that banks and payment processors upgrade their payment systems to include strong user authentication capabilities, and that retailers like TJX use encryption to protect cardholder data. Even with these additional protections, all businesses should take a hard look at whether the customer data on their systems really needs to be there.

Photo by Sacha Lecca