More than 94 million accounts were affected in the theft of personal data from TJX Cos., a banking group alleged in court filings, more than twice as many accounts as the Framingham retailer has said were affected in what was already the largest data breach in history.
The data breach affected about 65 million Visa account numbers and about 29 million MasterCard numbers, according to the court filing, which was made late yesterday by a group of banks suing TJX over the costs associated with the breach. The banks cited sealed testimony taken from officials at the two largest credit card networks. A Visa official also put fraud losses to banks and other institutions that issued the cards at between $68 million and $83 million on Visa accounts alone, the filing states, the most specific estimate of losses to date.
TJX, which operates more than 2,500 stores worldwide under such brand names as TJ Maxx and Marshalls, previously has said the unidentified hackers who breached its systems had com promised at least 45.7 million credit and debit card numbers as far back as 2003. TJX has said about 75 percent of the compromised cards were expired or had data in the magnetic strip masked, meaning the information was stored as asterisks rather than numbers.
A TJX spokeswoman said she couldn't immediately discuss the filing yesterday, and said the company doesn't generally discuss pending litigation. Spokesmen for Visa and MasterCard did not respond to questions last night.
Eric Bourassa, a privacy specialist for the consumer group MassPIRG, said the larger number of cards apparently affected made it all the more important that consumers be notified of the great risk of fraud. He also said Visa's estimate of fraud losses was striking since in most previous cases "it's been hard to draw the link between the breach and the damages."
To date, authorities have not charged anyone directly with responsibility for the breach, though they made charges and won guilty pleas against six individuals in Florida for using phony credit cards with numbers stolen from TJX to purchase goods illegally. Last month, Canadian privacy officials concluded an eight-month investigation into the breach by faulting TJX for failing to adequately safeguard customer information. The investigators said TJX believes the intruders gained access to customer information via wireless local area networks at two Marshalls stores in Miami. These networks use radio waves to collect and transmit data, such as credit card numbers.
The claims filed by the banks yesterday are part of an ongoing legal battle between TJX and the bank that handled its card transactions, Fifth Third of Ohio, and a bigger group of plaintiff institutions including the Massachusetts Bankers Association and others.
TJX already has reached a tentative settlement with attorneys representing consumers who were harmed by the breach, who would receive cash or merchandise vouchers, credit monitoring, and other benefits if the deal is finalized.
TJX has said the price of the deal would fall within its previous estimates that the total cost of dealing with the breach would be around $256 million.
Several analysts have estimated the total costs to TJX could ultimately run as high as $1 billion, including legal settlements and lost sales. To date, though, sales figures reported by TJX suggest that shoppers have not been put off by the breach.
The banking plaintiffs haven't set an exact total for the damages they seek in their suit, but they claim among other things that TJX mishandled its security arrangements and they want the company to pay for unspecified losses and costs such as reissuing compromised credit cards.
TJX also is facing several other investigations into the breach, including one by the Federal Trade Commission and a multistate probe led by Massachusetts Attorney General Martha Coakley.
Yesterday's filings relate to a technical legal battle of whether a federal judge in Boston will grant the banks' motion to be certified as a class of plaintiffs, or whether they would face the more daunting task of pursuing their claims individually.
In a filing of its own, TJX argued against the certification, saying the small community banks who brought the suit "are not typical of those of the class" compared to big banks such as Bank of America Corp., which account for the majority of cards issued in the United States.
"Large banks generally devote considerably more resources to payment card fraud management than do smaller banks . . . which technology in turn enables them to react more flexibly to data compromises than small community banks sometimes do," TJX's filing states.
Further, many banks reissued every one of their cards listed in alerts, "a responsse that was at odds with best practices set forth by Visa, MasterCard," and bankers associations, TJX stated.
Ross Kerber can be reached at firstname.lastname@example.org.