TJX breach shows IT security lacks in retail industry

The scope of the security breach disclosed this week by The TJX Companies Inc. is starting to make itself evident, with more than three dozen banks in Massachusetts alone now reporting that cards they issued have been compromised.

A spokesman for the Massachusetts Bankers Association said this afternoon that 40 of the MBA's 205 member banks have said they suffered card compromises as a result of the breach at Framingham, Mass.-based TJX. That number is sure to grow as more banks report to the association, he added, noting that only about 60 have done so thus far.

In addition, the MBA spokesman said some of the banks affected by the breach have confirmed through credit card companies that the information stolen in the breach includes so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards.

Benson Bolling, assistant vice president of lending at the Alabama Credit Union in Tuscaloosa, also said this week that based on alerts from Visa U.S.A. Inc., Track 2 data appears to have been compromised in the breach.

Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion. Its apparent inclusion in the breach at TJX provides fresh evidence that IT security remains fragile at some large retailers despite efforts by credit card companies to get them to better protect customer data.

Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard being pushed by Visa, MasterCard International Inc. and other credit card companies. But many retailers continue to do so, often because their point-of-sale systems capture and store the data by default.