The filings in a bank case against TJX indicated that fraud-related losses involving Visa cards alone range from $68 million to $83 million, spread across 13 countries. One filing warned that the total will rise as thieves continue to use data from compromised cards.
"You know, these are going to be sold off for a period of time in the future, so it's going to continue for some time out there," Joseph Majka, Visa USA's vice president of investigations and fraud management, said in court documents unsealed late Tuesday.
Depositions of security officials at Visa and MasterCard, the two biggest credit card associations, suggest the breach was far bigger than TJX has indicated. Even before the latest numbers, independent organizations that track data breaches had called the case the largest ever.
TJX said in March that at least 45.7 million of its shoppers' cards had been compromised, although it acknowledged it may never learn the total number. However, the Framingham, Mass.-based owner of 2,500 stores including T.J. Maxx and Marshalls has said about three-quarters of the cards had either expired by the time of the theft, or had masked data in the magnetic strip, meaning the information was stored as asterisks rather than numbers.
In an Aug. 31 deposition with an attorney for banks suing to recover breach-related losses, Visa's Majka said the association had alerted card-issuing banks and other institutions about 65 million Visa card accounts that may have been compromised. That number was as of June, he said.
"I'm not sure if this is, in fact, the final number," he said.
A Visa spokesman declined further comment Wednesday.
Neil Maguire, a security official at MasterCard, said in a Sept. 27 deposition that his card association believed it had "roughly 29 million" potentially exposed cards.
In the portion of Maguire's deposition that has been unsealed, he did not give a dollar estimate of fraud involving MasterCard accounts.
MasterCard spokesman Chris Harrall declined to comment Wednesday because the matter involves ongoing litigation.
TJX spokeswoman Sherry Lang declined immediate comment.
Fraud Spreads Far and Wide
Some banks have said they've learned of fraudulent purchases tied to the breach as far away as Hong Kong and Sweden.
Majka said Visa had fraud reports from 13 countries, with most cases in the United States.
No arrests have been made of people suspected to have broken into TJX's systems, although 10 people were convicted in Florida this year for their roles in a ring using stolen TJX customer data to buy gift cards and merchandise.
Last month, a Canadian government investigation led by Privacy Commissioner Jennifer Stoddart concluded that hackers intercepted wireless transfers of customer information at two Miami-area Marshalls stores. The break-in gave hackers undetected access to TJX's central databases for a year and a half, starting in July 2005.
Tuesday's court filings in U.S. District Court in Boston were made by banks that have sued TJX and Cincinnati-based Fifth Third Bancorp, which processed some payment card transactions for TJX. The plaintiffs include banking associations in Massachusetts, Connecticut and Maine, as well as small banks like Alabama-based Amerifirst Bank, Maryland-based Eagle Bank and Massachusetts-based SaugusBank.
The banks are seeking class certification that would allow other banks to join the complaint and share in any damage awards, and a ruling on the motion is pending. Judge William Young recently denied a TJX motion to dismiss the complaint.
Attorneys representing consumers who are part of the same lawsuit recently reached a tentative settlement with TJX. If the deal is finalized, consumers would receive benefits including cash or merchandise vouchers and credit.
TJX is the owner of about 2,500 stores, including T.J. Maxx and Marshalls and, in Canada, Winners and HomeSense.