More Thefts From TJX Breach

Retail giant out of compliance with PCI security requirements, according to Visa alert

Tim Wilson, Editor in Chief, Dark Reading, Contributor

January 30, 2007

2 Min Read
Dark Reading logo in a gray background | Dark Reading

More than 60 banks have reported compromises of customer accounts as a result of the recent security breach at retail giant TJX Companies, and that figure is expected to grow, according to the Massachusetts Bankers Association.

And in a separate report, Visa alerted financial institutions that TJX had violated the Payment Card Industry's Data Security Standard guidelines, which prohibit long-term storage of credit card data by retailers.

Less than half of the 205 banks in Mass. have reported their findings on the TJX breach, disclosed two weeks ago. (See TJX Breach Skewers Customers, Banks.) Most of the banks reporting in have seen unauthorized account activity on at least some of the credit cards exposed in the breach, according to the MBA.

The banks are still contacting TJX customers, and in some cases, are canceling customer accounts and re-issuing cards, according to Daniel Forte, CEO and president of the MBA. The number of banks affected is "likely to grow higher," the MBA says, as many of them haven't been able to report "because the situation is such a moving target."

Officials at TJX still aren't saying how the breach occurred, but according to an alert sent Jan. 15 via the Visa Compromised Account Management System, the retailer had stored credit card data dating back to 2003. PCI rules, which are set and enforced by the credit card companies, state that merchants cannot store data for long periods.

The banks are absorbing most of the punishment resulting from the breach. It is the banks, not TJX, which are reimbursing customers for the account thefts, and it is the banks, not TJX, which could be subject to fines for doing business with a merchant that does not comply with PCI.

The banks are responding by asking for swifter action by legislators and credit card companies to require swift disclosure of breaches among retail merchants. "By not disclosing which firm caused the breach, or quickly disclosing it, consumers are needlessly troubled," Forte says.

— Tim Wilson, Site Editor, Dark Reading

About the Author

Tim Wilson, Editor in Chief, Dark Reading

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

See more from Tim Wilson, Editor in Chief, Dark Reading
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Starbucks logo on a storefront
Cyberattacks & Data Breaches
Ransomware Attack on Blue Yonder Hits Starbucks, SupermarketsRansomware Attack on Blue Yonder Hits Starbucks, Supermarkets
byJai Vijayan, Contributing Writer
Nov 25, 2024
4 Min Read
thumbnail
Сloud Security
Nearly Two Dozen AWS APIs Are Vulnerable to AbuseNearly Two Dozen AWS APIs Are Vulnerable to Abuse
byJai Vijayan, Contributing Writer
Nov 17, 2020
4 Min Read
Male hand holding a tablet, with a car floating above it; black background
Vulnerabilities & Threats
My Car Knows My Secrets, and I'm (Mostly) OK With ThatMy Car Knows My Secrets, and I'm (Mostly) OK With That
byKyle Hanslovan
Nov 26, 2024
5 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events