Banks start credit card reissue Breach of databases prompts replacements

BANGOR – Thousands of local bank customers will receive new debit and credit cards in the mail this month to replace existing cards whose numbers may have been stolen when hackers accessed customer information from TJX Companies Inc. store databases in mid-December.

TJX, based in Framingham, Mass., operates 2,500 T.J. Maxx, Marshalls and other stores nationally and internationally.

On Jan. 17, TJX disclosed it had discovered the unauthorized intrusion in the system that stores customer credit, debit card and driver’s license numbers. The compromised data are linked to credit card or debit card purchases made in 2003 or between May and December 2006 at T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States and Puerto Rico and Winners and HomeSense stores in Canada.

The store has come under fire for finding out about the problem before Christmas but not reporting it until mid-January.

“It is odd that they discovered the breach a few weeks before Christmas, and the announcement was delayed until a few weeks after Christmas,” said Steve Kenneally, director of America’s Community Bankers, a Washington, D.C., trade group.

TJX Chairman Ben Cammarata said in a prepared statement that the company immediately engaged two leading computer security and incident response firms to investigate the problem and enhance the computer system’s security in order to protect customer data. Cammarata said TJX also notified law enforcement authorities and major credit card companies. The intruder has not been identified.

“We were concerned that there would be an expansion of our systems breach. By not making a public announcement in December and with the help of top security experts, we were able to contain the problem and strengthen our computer network,” Cammarata wrote.

The Maine Bankers Association does not know the total number of Maine bank customers whose cards were exposed to the TJX security breach.

No Maine banks or customers have reported fraudulent use of their cards in connection with the intrusion, according to Maine Bankers Association attorney Mark Walker. The Massachusetts Bankers Association said several Massachusetts banks have reported unauthorized purchases made in Florida, Georgia, Louisiana, Hong Kong and Sweden using cards linked to debit and credit card numbers stolen from TJX’s computer system.

When alerted, credit card companies, who supply debit and credit cards to banks, sent lists of potentially compromised numbers to banks across the country.

Bangor Savings Bank received lists from Visa and MasterCard of more than 5,000 debit card numbers and 300 credit card numbers belonging to customers who made a purchase or a return during the months in question. Anyone who made a purchase with a credit card, debit card or check or returned merchandise during that period was in the system.

Yellow Light Breen, senior vice president at Bangor Savings Bank, said the bank sent a letter to its affected customers and replaced all cards.

“So far, we have seen no evidence of fraud from automated systems and have received no calls of fraud from customers,” Breen said. “We just thought, better safe than sorry.”

Merrill Bank received a list of 2,600 debit card numbers from Visa, according to Senior Vice President Lynne Spooner. The bank identified which accounts were linked to the cards and found that only 200 of those accounts were active. Branch personnel made contact with each customer and gave them the option of whether to have their card reissued.

Only 71 cards have been reissued, and Merrill has not received any complaints of unauthorized card use related to the TJX security breach, Spooner said.

“There’s quite a cost to [replacing cards], plus the customer inconvenience,” Spooner said. The cost of replacement is about $14 per card, which the bank is covering, Spooner said

Banks and bank associations are speaking out against TJX’s security methods, the delayed announcement and the cost the breach has imposed on banks.

“There’s no immediate recourse to the retailer, or the entity that caused the breach, but there’s immediate cost to the bank,” said Kenneally of the community bankers’ group. Banks usually absorb the cost of replacing each card, Kenneally said.

Community banks in New England have identified at least 200,000 credit and debit cards compromised by the TJX security breach, Kenneally said.

“More banks are reporting more and more compromises so that number is extremely low,” Kenneally said.The number of compromised accounts is expected to rise as more banks respond to state surveys, which have not included major financial institutions such as Bank of America, Kenneally said.

State officials and banks outside Maine are taking legal action against TJX, citing failure to protect customer information and for delaying disclosure of the breach. The Massachusetts and Rhode Island attorneys general have launched separate civil investigations questioning TJX’s security procedures. The Maine Attorney General’s Office was still monitoring the situation. AmeriFirst Bank of Union Springs, Ala., filed a class action lawsuit in U.S. District Court in Boston and also named as a defendant Fifth Third Bank of Ohio, the company that processed debit and credit transactions for TJX. AmeriFirst Bank aims to recover losses, including the cost to replace compromised cards, and fraudulent charges made with the exposed cards.

TJX warns customers on its Web site that criminals use situations like this to try to obtain personal information like credit and debit card numbers, PINs and social security and driver’s license numbers. Ignore phone calls and e-mails that ask to confirm personal information, TJX said. The company asks customers who receive hoax e-mails or calls to report them by calling toll-free (866) 484-6978.

For more information, visit your local bank or www.tjx.com.