Even More Details Emerging about TJMaxx and Marshalls Data Breach

Even more details are beginning to emerge about the theft of data on computer systems belonging to TJX Companies, the parent company of TJMaxx and Marshalls stores. Unfortunately it appears that thieves are actually using information they stole from the TJX Company computers. The on-line publication Computerworld described the data security breach as follows:

The scope of the security breach disclosed this week by The TJX Companies Inc. is starting to make itself evident, with more than three dozen banks in Massachusetts alone now reporting that cards they issued have been compromised.

A spokesman for the Massachusetts Bankers Association said this afternoon that 40 of the MBA’s 205 member banks have said they suffered card compromises as a result of the breach at Framingham, Mass.-based TJX. That number is sure to grow as more banks report to the association, he added, noting that only about 60 have done so thus far.

It appears that the data stolen from TJX Company should never have been saved in the company’s computer system in the first place. According to the Computerworld article, the data stolen from the corporate computer system included

account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion.

Credit card company standards prohibit retailers from storing this information in its computer systems once a consumer transaction has been completed,

Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard being pushed by Visa, MasterCard International Inc. and other credit card companies.

TJX Companies apparently did not follow this credit card company requirement nor did it encrypt sensitive data on its systems as also required by the Payment Card Industry Data Security Standard. Thus, although thieves stole credit card data and numerous consumers have apparently been affected, it appears that the TJX Company’s lax adherence to the Payment Card Industry Data Security Standard allowed such an intrusion to occur. If this information turns out to be accurate, in my opinion, TJX should bear responsibility for allowing such a serious data security breach to occur. If you shopped at TJMaxx or Marshalls, what do you think about the company’s approach to consumer privacy and data security? If you have recevied word from your credit card company that you may be a victim of this data security breach, do you think TJX Companies should be held accountable? I’d like to hear your opinions.