Hackers access card numbers

Banks are reissuing millions of debit and credit cards after a hacker gained access to TJ Maxx and Marshalls databases, putting customers' financial information at risk of theft.

It's going to cost banks about $20 for each reissued card, according to Joseph Pietroski Jr., president of the Maine Bankers Association.

The stores' parent company, TJX Companies Inc., said it discovered the unauthorized intrusion into its computer systems in mid-December 2006. But it didn't announce the breach publicly until Jan. 17, 2007.

Mark Walker of Maine Bankers Association said CitiBank already has reissued at least 1 million new cards. TD Banknorth's number of reissued cards is in the tens of thousands. Bank of America announced Thursday it will reissue an untold number of cards, Pietroski said.

Walker said usually the reissued cards are attached to new account numbers.

"Banks are absorbing an awful lot of cost for this thing," Pietroski said Friday.

Mark Young, vice president of operations at Maine State Credit Union, said the credit union has been notified by Visa that approximately 3,100 Maine State Credit Union cards were affected. A total of 7,400 Visa credit cards and 8,500 Visa debit cards were issued by the credit union.

Young said it appears the breach involves millions of card accounts across all major payment brands accepted by TJX.

"The credit union's card services department reacted swiftly to the notification by blocking each card that may have been affected, ordering new cards and notifying each member to inform them of the situation," Young said Friday.

"Members were also reminded that account holders would not be responsible for any fraudulent charges resulting from the compromise."

In Massachusetts, 28 banks were contacted by credit card companies indicating some customers had personal information that may have been exposed, according to the Massachusetts Bankers Association.

Walker said most of the affected banks are in Massachusetts and New Hampshire. Only about a half-dozen Maine banks are affected.

Pietroski said a breach doesn't necessarily mean accounts have been tapped. Banks often choose to reissue cards as a preventive measure to head off fraudulent charges.

"If TJX had let the banks know early on that the cards had been compromised, then the banks could have responded a lot quicker," Pietroski said. "I don't know the depth of the information compromised. That's the scary thing."

William Lund, director of the Maine Office of Consumer Credit Regulation, said a new state law enacted Wednesday requires individuals, businesses and other entities to notify consumers and state regulators when there has been a security breach of computerized data containing the consumers' personal information that could result in identity theft.

"If these breaches had taken place a couple weeks later, TJX would have had to either call an office like ours or the attorney general's office and also send out individual letters to consumers," he said.

For the time being, Lund said people should monitor their credit reports to make certain they don't fall victim to identity theft. He said there are three steps people can take to protect themselves.

"First, look at your credit reports. You can do that under the law without charge once a year," Lund said. "The second step is to put a fraud alert on your credit report.

"And the third step, under Maine law, consumers are permitted to freeze their files, which locks access to a credit report without the consumer's specific permission. That's the most protective step a consumer can take."

Lund said people can access all three credit agencies -- Equifax, Experian and Trans Union -- at http://www.annualcreditreport.com

Calls to local branches of Kennebec Savings Bank, Gardiner Savings Bank, TD Banknorth and Bank America were unreturned Friday.

On Monday, a lawsuit seeking class-action status was filed in federal court in Boston accusing TJX of negligence for waiting to publicly announce the intrusion and for failing to protect consumer credit- and debit-card information in its computers.

The lawsuit, filed on behalf of a West Virginia woman, seeks credit-card monitoring for affected customers and compensation for damages.

David Loughran of the Maine Office of the Attorney General said the Massachusetts attorney general also is investigating TJX.

"We're working with the Massachusetts attorney general's office on this to protect Maine consumers from credit card and other fraud," Loughran said.

Mechele Cooper -- 623-3811, Ext. 408

mcooper@centralmaine.com


Reader comments

Ben of Cliff Island, ME
Feb 3, 2007 5:13 PM
I believe that this article downplays the impact of this "data breach." My card number was one of those stolen, and I spent most of last Sunday afternoon and parts of Monday and Tuesday dealing with the mess, and there'll be more to come. This is far more than the $20 impact quoted by the article.
The real question is why was TJX keeping our credit card number on file months after we last shopped at their store (the South Portland Home Goods)?

al375 of Dresden, ME
Feb 3, 2007 10:01 AM
I think it is definately time to go back to cash only. It is inconvenient but at least your identity is safe when you make purchases. Many stores, especially the larger grocery chains, treat checks as debit devices - so checks are no longer safe either. Except for banks, businesses don't charge interest or fees for using cash.

GreatNana3 of Augusta, ME
Feb 3, 2007 8:29 AM
I can't imagine a worse time of year for TJX to I hope they are fined "big time" for deriliction of duty. Even if I am not one of the customers that is notified it still reduces my confidence in the security of using credit/debit cards. This is not the first breach of security - it seems to me that it is only a matter of time before there is a major problem. Can you imagine: your credit card info is stolen - and used to finance terrorism. You spend years regaining your "good name" - if ever. I don't even want to think about it . . . .