From the Boston Globe newspaper:
"More than 94 million accounts were affected in the theft of personal data from TJX Cos., a banking group alleged in court filings, more than twice as many accounts as the Framingham retailer has said were affected in what was already the largest data breach in history."
This massive data breach affected about 65 million Visa credit card holders and about 29 million MasterCardcredit card holders. The banks had sued TJX to recover the costs incurred from replacing their credit card customers accounts with new cards and account numbers.
"A Visa official also put fraud losses to banks and other institutions that issued the cards at between $68 million and $83 million on Visa accounts alone..."
I have absolutely no sympathy for TJX. When a retailer accepts payments from customers using sensitive personal data (e.g., credit card numbers, checking account numbers, etc.), it is the retailer's responsibility to protect that personal data... especially since they are making money from the consumers' purchases. If the retailer wants the benefits, then the retailer must also accept the risks and the responsibility. It is not right to pass the cost (and the responsibility) to banks when they re-issue credit card numbers.
Consumers expect the retailer to employ adequate and updated data security measures. Consumers expect the retailer to notify them promptly of any and all data breaches, regardless of whether the states' laws specify notification.
If a retailer can't protect consumers' sensitive data, then don't accept it. It's really that simple. Want to learn more? Read my archive of TJX posts.