Over 94 million Visa and MasterCard accounts may have been exposed to fraudsters in the security breach at US retailer TJX, more than double the number previously reported.
TJX said in March that fraudsters who hacked its computer systems managed to steal 45.7 million credit and debit card numbers over a period of more than 18 months, making it the biggest breach of personal data ever.
However, according to filings in a bank case against TJX, the breach is even bigger than first reported and 94 million Visa and MasterCard accounts could have been exposed.
The filings, which cite security officials at Visa and MasterCard, are part of a lawsuit lodged by banking associations against TJX and Fifth Third Bancorp, which processed some card transactions for the retailer.
In a deposition that was unsealed in federal court in Boston yesterday, Joseph Majka, Visa USA's vice president of investigations and fraud management, states that the association alerted institutions about 65 million Visa accounts that may have been compromised in the hacking.
According to press reports, the filings indicate that fraud-related losses involving just the Visa cards range from $68 million to $83 million, spread across 13 countries, and this is set to rise as fraudsters continue to use data stolen in the hacking.
A MasterCard security official said his company believed it had around 29 million compromised cards.
TJX spokeswoman Sherry Lang told reporters that the retailers is sticking with its figure of 45.7 million accounts exposed.
The retailer originally revealed on 17 January that the computer system it uses to process and store information related to customer transactions had been hacked, potentially exposing millions of customers' credit and debit card numbers, as well as driver's licence information.
Hackers placed unauthorised software on TJX's computer network and stole at least 100 files containing data on millions of accounts from systems in Framingham, Massachusetts and Watford in the UK.
Debit and credit card data exposed in the compromise is thought to have been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.
So far no arrests have been made of people suspected to have broken into TJX's systems, although in September the ringleader of a gang that used data stolen during the TJX hacking was sentenced to five years in prison and ordered to pay nearly $600,000 in restitution.
Irving Escobar, 19, from Miami, pleaded guilty in March to charges that he participated in a criminal operation that used counterfeit cards featuring credit card data stolen data from the TJX data breach.
Five other gang members who were accused of playing lesser roles in the operation also pleaded guilty to similar charges in Florida courts.