Bank associations in Massachusetts, Connecticut and Maine said they will sue TJX over a data theft that exposed at least 45 million credit and debit cards to potential fraud.
Banks have been saddled with costs to replace cards and cover fraudulent charges tied to the theft from TJX , the owner of nearly 2,500 discount stores including T.J. Maxx and Marshalls. Since it disclosed the data theft three months ago, Framingham-based TJX has been hit with several lawsuits filed in the U.S. and Canada by consumers, financial institutions and investors.
The Massachusetts Bankers Association said the Connecticut Bankers Association, Maine Association of Community Banks and at least three individual banks are joining in a lawsuit to be filed Wednesday in U.S. District Court in Boston. The associations represent nearly 300 banks.
Dan Forte, president and chief executive of the Massachusetts Bankers Association, said his organization will contact other state bank groups nationwide to see if they're interested in joining the lawsuit, which seeks class-action status.
The complaint will make an unfair trade practices claim under Massachusetts law alleging that TJX failed to adequately protect sensitive customer data, and misrepresented how it handled data.
TJX spokeswoman Sherry Lang said the company does not comment on pending litigation.
The Massachusetts Bankers Association said in January its members had been contacted by credit and debit card companies of fraudulent purchases tied to the TJX breach that had been made in Florida, Georgia, and Louisiana, and overseas in Hong Kong and Sweden. Reports continue to come in from "around the world," bankers association spokesman Bruce Spitzer said.
Spitzer said the banks will try to recover "tens of millions of dollars," although the damages the banks ultimately will seek depends on future expenses from replacing cards and covering fraudulent purchases.
On Jan. 17, TJX disclosed a breach of its computer systems by an unknown hacker or hackers who accessed card data from transactions as long ago as late 2002. On March 28, TJX said at least 45.7 million of its shoppers' cards had been compromised. Independent organizations that track data thefts say the TJX case is believed to be the largest in the U.S. based on the number of customer records compromised.
TJX says about three-quarters of the 45.7 million cards had either expired by the time of the theft, or the stolen information didn't include security code data from the cards' magnetic stripes. However, TJX also has said the intruders could have tapped the unencrypted flow of information to card issuers as customers checked out with their credit cards.
The company and the U.S. Secret Service are investigating. The only arrests so far have come in Florida, where 10 people who aren't believed to be the TJX hackers are accused of using stolen TJX customer data to buy Wal-Mart gift cards.