The number of Visa and MasterCard accounts that could have been exposed to potential fraud by a data breach at retailer TJX Companies, could be nearly double the original estimates, according to documents filed in court.
Filings in a bank case against TJX, the parent of TJ Maxx, Marshalls and A.J. Wright chains, indicate that as many as 94 million cards could have been compromised. Depositions by security officers at Visa indicate that as many as 64 million accounts may have been exposed, while MasterCard has estimated as many as 29 million of its accounts were at risk.
Earlier this year, TJX indicated the breach may have involved 45 million cards.
An investigation by Canada's Privacy Commissioner last month blasted the Framingham, Mass.-based company for failing to protect its customers.
In that investigation, the privacy commissioner blamed the retailer for collecting too much personal information from customers, keeping it too long and relying on weak encryption technology to protect it. In Canada, TJX operates the Winners and HomeSense retail chains.
The Canadian investigation concluded that an intruder may have initially gained access to customer information via a wireless local area network at two Marshalls stores in the Miami area. Customer information was subsequently stolen from mid-2005 through December 2006.
Among the findings by the privacy commission were that TJX did not act quickly in converting from a weak encryption standard to a stronger standard. It also found that the company did not adhere to the requirements of the Payment Card Industry Data Security Standard, which was developed to address credit card data theft.
The court filings this week were made by banks that have sued TJX and Fifth Third Bancorp, which processed some card transactions for TJX. The banks are seeking class certification to allow other banks to join the complaint and share damage awards. TJX reached a tentative settlement on a consumer class action suit in September.
