Hacker costs keep growing

Gonzalez and several unnamed accomplices were accused this week by the Department of Justice of conspiring to steal 130 million credit cards - the largest data breach reported - after penetrating the computer networks of major retailers and a credit card processing company, Heartland Payment Systems.

Gonzalez was previously charged with orchestrating the heist of more than 40 million credit cards from nine retailers, including discounter BJ’s Wholesale Club of Natick and Framingham-based TJX Cos., which operates TJMaxx and Marshalls stores.

Those companies in turn say they have been forced to spend millions of dollars to contend with the damage.

TJX said it has spent $132 million on expenses related to the breaches, including the cost to investigate and contain the intrusion and to handle lawsuits and other legal claims. It has set aside another $39.5 million to handle further claims. Spokeswoman Sherry Lang said TJX has also spent millions of dollars beefing up its computer security.

The retailer has faced a raft of litigation initiated by banks, individuals, and government agencies accusing TJX of lax security that allowed hackers to penetrate its network and obtain millions of card numbers. In June, for instance, TJX struck a $10 million deal to settle a lawsuit brought by 41 states alleging the company did not do enough to protect customers. And it spent $65 million to settle suits by banks that issued Visa and Mastercard credit cards.

Meanwhile, BJ’s set aside $13 million between 2004 and 2007 to handle claims for fraudulent credit and debit card charges and the cost of replacing cards, offering credit monitoring, and related expenses. But it also cautioned that it faced a number of outstanding legal claims. BJ’s officials did not respond to requests for comment.

One of the victims of the latest crime is Hannaford Bros., a regional supermarket chain based in Maine with stores in Massachusetts. In March 2008, Hannaford said thieves obtained as many as 4.2 million credit and debit card numbers.

Hannaford’s parent company, the Delhaize Group of Belgium, said its second-quarter earnings were hurt last year by additional expenses for security, legal, and public relations consultants.

The grocery chain said it spent money to improve its security systems, though it believes it was already in compliance with industry standards. In addition, the company said it faces a number of legal claims, which could potentially expose it to further losses.

The company declined to say how much it has spent handling the breaches.

“It is not a huge amount, but it has an impact because we are a low-margin business,’’ said Guy Elewaut, a company spokesman.

“It’s an unfortunate event that we tried to manage as quickly as possible.’’

The breaches were also costly to banks that issue credit and debit cards - though their networks were not breached.

Some banks were forced to reissue cards, which can cost $5 to $30 per card, after card data was stolen from retailers, said Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, an industry group. Others offered credit monitoring.

And some banks were forced to absorb additional losses after cards were fraudulently used.

More than a dozen Massachusetts community banks reported that thousands of customers were affected by the Heartland data breach.

Lowell Five Cent Savings Bank, for instance, said as many as 3,300 of its debit cards were compromised. The bank ordered new cards for identified customers, at a cost of $40,000 to $50,000, to help prevent fraud.

“It’s a considerable expense for a local community institution,’’ said bank vice president Craig MacKenzie.

“It has an impact on our bottom line. But it’s something we felt we needed to do,’’ MacKenzie said.

Spitzer, who represents banks across the state, said it is difficult to estimate how much the breaches cost Massachusetts banks overall.

Gonzalez, who is currently in federal custody in Brooklyn on charges of hacking into a Dallas-based restaurant chain, has pleaded not guilty to hacking charges in Massachusetts and New York, but has not been arraigned in New Jersey, where the latest charges were filed. A lawyer for Gonzalez, Rene Palomino Jr., could not be reached for comment.

Todd Wallack can be reached at twallack@globe.com.