By Mark Jewell
Associated Press
Thursday, October 25, 2007

At least 94 million Visa and MasterCard accounts may have been exposed to potential fraud in a data breach at TJX, more than double the previous estimate by the discount retailer.

The figure was included in court filings this week that cited officials from the credit card associations.

The filings in a bank case against TJX indicated that fraud-related losses involving Visa cards alone range from $68 million to $83 million and are spread across 13 countries. One filing warned that the total will rise as thieves continue to use data from compromised cards.

"These are going to be sold off for a period of time in the future, so it's going to continue for some time out there," Joseph Majka, Visa USA's vice president of investigations and fraud management, said in court documents unsealed late Tuesday.

Depositions of security officials at Visa and MasterCard suggest the breach was far bigger than TJX has indicated. Even before the latest numbers, independent organizations that track data breaches had called the case the largest ever.

TJX said in March that at least 45.7 million of its shoppers' cards had been compromised, although it acknowledged it may never learn the total number. However, the Framingham, Mass.-based owner of 2,500 stores including TJ Maxx and Marshalls has said about three-quarters of the cards had either expired by the time of the theft or had masked data in the magnetic strip, meaning the information was stored as asterisks rather than numbers.

Neil Maguire, a MasterCard security official, said in a Sept. 27 deposition that his company believed it had "roughly 29 million" compromised cards.

TJX spokeswoman Sherry Lang declined comment.

No arrests have been made of people suspected to have broken into TJX's systems, although 10 people were convicted in Florida this year for their roles in a ring using stolen TJX customer data to buy gift cards and merchandise.

Last month, a Canadian government investigation led by Privacy Commissioner Jennifer Stoddart concluded that hackers intercepted wireless transfers of customer information at two Marshalls stores in Miami. The break-in gave hackers undetected access to TJX's central databases for a year and a half, starting in July 2005.

Tuesday's court filings in U.S. District Court in Boston were made by banks that have sued TJX and Cincinnati-based Fifth Third Bancorp, which processed some payment card transactions for TJX. The plaintiffs include banking associations in Massachusetts, Connecticut and Maine, as well as small banks like Alabama-based AmeriFirst Bank, Maryland-based Eagle Bank and Massachusetts-based SaugusBank.

Attorneys representing consumers who are part of the same lawsuit recently reached a tentative settlement with TJX. If the deal is finalized, consumers would receive benefits including cash or merchandise vouchers and credit.