The Massachusetts Bankers Association (MBA) said that as of last Wednesday, card numbers taken from TJX's systems had been used to make fraudulent purchases in Georgia, Florida and Louisiana, as well as in Hong Kong and Sweden.
Both MasterCard International Inc. and Visa U.S.A. Inc. declined to comment on the MBA's claims about fraudulent uses of card numbers. TJX officials didn't respond to requests for comments about the reported misuse of card data.
In addition, the MBA said it is "strongly" pushing for state legislation that would require credit card firms to quickly disclose the source of a retail data breach. MasterCard, Visa and other card companies typically don't divulge that information to card-issuing banks when notifying them of security incidents.
Daniel Forte, the MBA's CEO, said in a statement that the credit card companies also should hold the source of a breach financially liable -- especially if the retailer was storing card data in violation of the Payment Card Industry (PCI) Data Security Standard.
TJX hasn't disclosed what information was compromised. But according to the MBA and other financial industry sources, the retailer appears to have been storing account numbers, expiration dates and other so-called Track 2 data taken from the magnetic stripe on the back of cards. Keeping such data is forbidden under PCI.
The fact that Track 2 data likely was among the compromised information is disappointing, said Ryan Fisher, senior risk manager at Madison, Wis.-based CUNA Mutual Group, which insures about 5,500 credit unions. He also said there is "a certain level of disappointment" that credit card companies haven't been enforcing the PCI standards more effectively.