BOSTON -
Retail giant TJX, which owns discount stores TJ Maxx and Marshalls, plus other stores, has told local media outlets that the data breach happened in December 2006 and that they have been investigating on its own while cooperating with federal authorities. TJX owns 2,500 stores nationwide. Boston-area newspapers have reported that as many as 40 million customers might be affected by the theft of their personal information.
Massachusetts Credit Union League President Daniel F. Egan said the TJX breach has already had a significant affect on area financial institutions and also said that credit unions tend to react to breaches by replacing member cards as quickly as possible.
"It's an expensive proposition for everyone," Egan said. "They're replacing cards as soon as they find out."
Egan said TJX had withheld information on the data breach until after the holiday season and that the problem might go back as far as 2003. Egan said it's another example of retailers keeping customer information for too long and then not using proper security to safeguard the data.
"Again, it's a poor system at the retail level," Egan said.
Egan said the Massachusetts CUL had immediately contacted Congressman Barney Frank, who represents the 4th District and is the new chairman of the House Financial Services Committee. Egan said Frank is aware of the data breach threat to credit unions and wants to introduce legislation that would increase accountability of credit card companies.
In a prepared statement released to the public, Frank said: "I learned of the latest data breach from a financial institution that may have to bear the costs of informing customers and issuing new credit cards but they were not told why. This is further evidence of the need for a provision that Democrats pushed for in last year's debate over data security. Mainly, those institutions where breaches have occurred must be identified and they must bear responsibility. Specifically, this means retailers or wholesalers must take responsibility, contrary to what common practice is today."
CUNA Mutual Senior Risk Manager Brian Fisher also said it was unclear just how large the data breach was and still too early to know the entire story.
"We're still trying to figure out the breadth of it and how it will affect credit unions," Fisher said. "We're in an early reaction phase and trying to get more information and limit the damage."
Fisher said while the actual cost of credit or debit card replacement is only a couple of dollars, the associated labor costs, mailings and member frustration drives the cost much higher.
In April of 2005, CUNA Mutual filed suit in Massachusetts Superior Court against BJ's Wholesale Club and Fifth Third Bancorp over a similar, massive data breach. The suit was filed on behalf of CUNA Mutual and more than 160 credit unions around the nation. CUNA Mutual spokesman Phil Tschudy said the case is still in the discovery phase which will continue until the end of April with final motions most likely taking place in May. Tschudy said if the case does continue, it might not go to trial until 2008.
