Banks expand warnings on TJX

Banks yesterday reported more risks for TJX Cos. customers following its loss of credit- and debit-card data, and questioned whether the Framingham retailer kept too much personal information on file in violation of card rules.

TJX said on Wednesday it had discovered in mid-December "an unauthorized intrusion" of its computer systems, which may have made customers' personal data vulnerable to fraud and identity theft. The security breach involved information dating to 2003 and could potentially affect millions of customers. TJX operates more than 2,500 stores including T.J. Maxx, Marshalls, and HomeGoods.

The hacking incident came as financial institutions scramble to maintain public confidence in the safety of their fast-growing electronic payment systems. The incident, which could be one of the biggest retail security breaches ever, drew vows for new consumer-protection laws and generated sharp criticism from financial organizations.

The Massachusetts Bankers Association said credit-card companies have told 28 of its member banks that some cardholders may have had personal information exposed in the TJX breach, and that the number is likely to grow.

The banking trade group also said TJX may have been keeping on file "unnecessary" data. Credit-card network rules prohibit retailers from retaining information after they verify a person's identity and account balance.

"After the transaction clears, there is no reason to store any data," said the group's president Daniel J. Forte.

TJX spokeswoman Sherry Lang declined to comment on the banking association's remarks yesterday or to give more details about the intrusion, which also included the removal of some customers' driver's license numbers. Lang said she knows of no fraud stemming from the intrusion but said the full extent of the problem remains under investigation.

In November, credit-card companies set new standards that among other things require merchants to justify how long they store certain data electronically. Both MasterCard and VisaUSA have told customers that TJX was out of compliance with the new standard, said financial services executives, speaking on condition of anonymity because the matter is still under investigation by law enforcement.

"It appears a retailer wasn't following the rules set out by the organizations," said Phil Tschudy, spokesman for CUNA Mutual Group in Madison, Wis., an insurer for credit unions that must pay the cost of covering fraud charges and reissuing cards.

Yesterday, banks including Citizens Bank and Wachovia Corp. said some customers' information was potentially compromised by the breach. (A Citizens spokesman said on Wednesday that its customers weren't affected but now says that was based on old information).

Also, Mutual Bank of Whitman said it deactivated 1,000 debit cards because of a large data breach that the Massachusetts Bankers Association identified as the one at TJX.

For TJX, one of the nation's largest discount retailers, the question now is whether shoppers will be put off by the data loss or just chalk it up as one of a growing number of breaches that have struck scores of major companies. TJX shares fell 13 cents in trading yesterday to close at $29.50.

But at a Marshalls store in Dorchester yesterday several shoppers said they were concerned.

"I was shocked given the size of the company. I thought they would have had better security," said Maureen Penella of Dorchester. She said she used credit and debit cards during December, and now will only pay with cash.

Shopper Catherine Collins of South Boston said her husband also is making the switch to shopping only with cash. "I just can't believe it," she said. "It makes me really nervous."

TJX has set up a special help line, 1-866-484-6978, to answer customers' questions and posted information about the incident on its website, tjx.com. The company urged customers to review their credit- and debit-card statements for any fraudulent transactions.

"TJX is in a tough situation," said Mike Tesler, president of Retail Concepts, a Norwell consulting firm. While he credited the company for discussing its breach, it's still difficult for customers because they don't know to what extent they are vulnerable.

On Beacon Hill, House speaker Salvatore F. DiMasi said, "identity theft will be a priority for this session." Since data-privacy advocates criticized his lack of support for previous bills, his comments suggest a new rule will emerge soon.

A spokesman for Governor Deval Patrick said he "will work with the Legislature to ensure that safeguards are put in place to protect people's personal and financial information." In an interview, Attorney General Martha Coakley said, "in concept, there probably should be" new state privacy rules, and that she would study the issue.

Ross Kerber can be reached at kerber@globe.com. Jenn Abelson can be reached at abelson@globe.com.