TJX breach could hurt 30% of New Englanders

Between 20% and 30% of all New Englanders may have been affected by the recently disclosed data breach at Framingham, Mass.-based retailer TJX Companies, according to the New Hampshire Bankers Association (NHBA).

That estimate is based on feedback the association has received so far from discussions with its 33 member banks, according to Jerry Little, president of the NHBA.

So far, 11 banks have reported being contacted by credit card companies about compromised card use, Little said. But indications are that all of NHBA's members have been affected by the breach, he said. The association has sent a survey to all its members and will have a better estimate of the financial fallout by early next week.

The banks that have reported in so far "have had significant compromises," Little said.

It's been a more difficult to get a handle on the extent to which the compromised cards are being used in fraudulent transactions, he said. But a few of the banks have reported fraudulent use of cards that are on the list of cards compromised in the TJX breach, and in some cases, the fraud appears to have been going on even before the breach was disclosed by TJX last week, he said.

It is still too early to say what the NHBA's response will be to the incident, Little said. But the group is considering options that include legal action against TJX and a push for legislative reform that would hold breached entities financially liable for the costs associated with blocking and reissuing credit and debit cards, he said.

Typically, a bank spends between $5 and $15 to replace a single card, which for a small bank can be quite steep, he said. A compliance process exists where banks can request at least a partial reimbursement from the acquiring bank -- the bank that grants merchants the approval they need to accept credit cards. "I know of a number of institutions that have made these types of filings in the past, and they say they have never received a penny," Little said.

At this point, "the best thing is if TJX would step up to the plate and indemnify financial institutions who are incurring these costs for no fault of theirs," he said.

Experts have said that while it is difficult to prevent such breaches, it can be even harder to uncover them after the fact.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.