SAN FRANCISCO -
A criminal fraud investigation into a data breach that TJ Maxx and Marshalls found that as many as 100-million Visa card account numbers had been breached. That investigation found that TJX Companies, parent to the two chains, had deployed only minimal encryption of data and had further held cardholders' information longer than needed. As part of the settlement, Visa Inc. said it would rescind the significant fines it had earlier levied against TJX Cos. The settlement followed by one day a decision by a federal judge to toss out a class action suit filed by several banks, saying they would have to sue separately.
In September, TJX Cos. said it had settled customer class action suits and put $107-million in reserve to pay claims. That settlement is pending approval by the judge in the case.
While the litigation appears to be reaching settlement, the hackers who were behind the breach and who gained access to the credit card history files have yet to be caught. One group of 10 South Florida residents has been charged after going on a $1-million spending spree across Florida using stolen credit card numbers. Authorities suspect the group acquired the account numbers from the TJX hackers. The Miami group bought stacks of gift cards at stores such as Wal-Mart and Sam's Club in Central Florida, then cashed them.
TJX said three-quarters of the initial 45.7-million account numbers compromised were for accounts that had either expired or did not include security code data embedded in magnetic stripes on the cards.
Several credit unions had been bidding to join the lawsuit against TJX Companies. SELCO Community CU, of Eugene, Ore., asked the federal court here to certify all credit unions and banks that received an alert from Visa or MasterCard related to the TJX breach for purposes of a class action suit against Fifth Third Bancorp, the cards processor for TJX. SELCO attorneys said Fifth Third was told of the breach by TJX on Dec. 26 or 27, 2006, but waited three weeks to notify CUs and banks.
