The office of the Massachusetts Attorney General is leading a multi-state civil investigation into the security breach in January at retailer TJX which may have exposed personal data belonging to millions of customers to fraudsters.
Massachusetts Attorney General Martha Coakley says the consumer protection division of the office is investigating the breach and the security measures that Framingham-based TJX took to protect customer data.
The retailer revealed on 17 January that the computer system it uses to process and store information related to customer transactions had been hacked in December 2006, which could have exposed millions of customers' credit and debit card numbers, as well as driver's license information, dating as far back as 2003.
Following the incident some banks were forced to re-issue cards to affected consumers. The Massachusetts Bankers Association (MBA) also reported that debit and credit card data thought to have been exposed in the breach had been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.
The MBA called for the introduction of legislation that would mandate the quick disclosure of companies cought out by a data breach, and that would place the financial liability with those companies as well.
America's Community Bankers (ACB) says its members have also had to re-issue cards following the breach and the association has echoed MBA's call for card networks and congress to take action.
ABC says 70% of its members that responded to a survey said their bank had had to reissue cards three times or more due to data breaches.
Michael Crowley, chairman of ACB's debit card fraud committee, says these data breaches are disturbing, disruptive and costly and consumer data is being exposed due to lax security at the merchant level.
"The foundation of our business, customer trust, is being jeopardised because of lack of enforcement of payment card industry standards by the card associations and lack of adherence to those standards by the merchants," he adds.
In January 2006 US credit data firm ChoicePoint agreed to pay $15 million to settle charges that it failed to adequately protect customers' financial information following a data breach where a gang of criminals posing as businessmen gained access to around 163,000 personal records.
Payments processor CardSystems Solutions also agreed last year to settle federal charges that it failed to protect the financial data of millions of consumers following a security breach in 2004 that exposed more than 40 million credit cards to hackers.