The TJX Companies' Data Breach Fallout Continues

At least two class action lawsuits have been filed and one attorney general investigation has begun so far as a result of a data breach at TJX Companies. Customers who shopped at TJMaxx, Marshalls and other company stores throughout the United States, Canada and Puerto Rico sometime in 2003 and 2006 may have had their personal private account data exposed to computer thieves. According to the on-line publication E-Week.Com, describing the identity theft breach,

the information stolen from TJX during two specific incidents in 2003 and 2006 has already been put to use by fraudsters, according to the MBA (Massachusetts Bankers Association).

Moreover,

The banking industry group said that it has received reports of fraud carried out on debit and credit card accounts exposed in the data heist in locations including Florida, Georgia, and Louisiana in the United States, and Hong Kong and Sweden overseas. The widespread nature of the criminal activity could indicate that the data has already been passed from the hackers who stole it to people around the globe intent on using it to carry out fraud, a common scenario for the use of stolen personal information.

The TJX Company’s overall conduct surrounding the data breach into its computer systems has become a target of scrutiny in a recently announced investigation by the Rhode Island Attorney General.

On Feb. 5, the Rhode Island attorney general’s office confirmed that it is launching a formal investigation of TJX’s data breach, including what caused it, why it wasn’t detected more quickly and why the announcement of it was delayed.

Apparently the Rhode Island’s Deceptive Trade Practices Act and its Identity Theft Protection Act of 2005 requires immediate notice of a data breach to impacted consumers. The Attorney General’s office plans to ask TJX Companies why it did not notify consumers for at least one month after it became aware of the data breach into its computer systems. The number of affected consumers has apparently still not been disclosed; however, fraudulent activity has been reported throughout the country and the world.

Based upon reports of widespread data theft and fraud throughout the world, it appears that TJX Companies faces an uphill and costly task ahead to repair consumer credit, restore relationships with credit card providers, and restore overall consumer confidence. The company apparently could have minimized exposure to credit card thieves, hackers and identity thieves by following the Payment Card Industry (PCI) Data Security Standard requiring data shredding and encryption. Unfortunately, based on my review of news accounts, it appears that identity thieves have had a field day with customer data simply because the TJX Company failed to take data protection seriously. In all fairness, I have only reviewed news accounts and usually hesitate to jump to conclusions without hearing more details. The TJX Company has been somewhat quiet about its data protection practices and procedures which will likely be disclosed in the course of the pending litigation. Stay tuned for more details as we learn them.