Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

Bert Caldwell: Hackers victimize T.J. Maxx customers

Bert Caldwell The Spokesman-Review

Credit card information for the tens of thousands of Washington and Idaho residents who shop at T.J. Maxx stores has been compromised by hackers who breached the merchant’s security system last month.

And a lot more than just their credit card numbers may have been captured by the unknown thieves.

The computers at TJX Companies Inc., the corporate parent of T.J. Maxx and other discount stores, also may have held driver’s license numbers, checking account numbers and other information the president of the Washington Credit Union League calls “a recipe for identity theft.”

Apparently, nobody at TJX was minding the store.

John Annaloro says the hackers obtained at least 50,000 credit card numbers for Washington credit union members alone. He expects that number to increase as TJX learns more about the damage done.

The hackers may have accessed transactions as far back as 2003, with estimates of the accounts compromised running as high as 40 million. The company says its system is now safe.

Annaloro says Washington’s credit unions have already begun the costly, time-consuming process of notifying members of the breach. Those affected should probably get new cards with new numbers, he says.

At Spokane Catholic Credit Union, President Cathy Loan says every one of the 43 members who used their card at the nearby T.J. Maxx store at Northpointe shopping center has opted for a new card.

The credit union was notified of the breach on Martin Luther King Jr. Day. Letters notifying the affected members went out last Tuesday, she says, but at that time officials had not been told where the security breach had occurred. TJX disclosed the breach on Wednesday.

“I had not a clue who did this,” Loan says. “It looked like we were careless with our data because we didn’t have anybody else to point the finger at.”

The card accounts were blocked, but not until Catholic CU had permission from the member. Otherwise, Loan says, members unaware of the problem could unknowing try to use their card. Or, as in the case of one member, they could be headed out of town with a useless piece of plastic. It takes about five days to get a new card.

Loan says the credit union is trying to arrange delivery of a new card to the member’s hotel.

Also, members who have payments automatically deducted from their accounts must notify all those merchants the old account has been canceled, and give them the number for the new one.

“It’s a lot of grief,” she says. “What is stolen from you is your time.”

Catholic CU absorbs the cost of a new card which, with administrative costs, is about $20.

Numerica Credit Union has been calling the 1,000-plus members affected, and posting information on its Web site. Members are also receiving new cards.

So far, cards belonging to Catholic and Numerica members have not used improperly.

Visa USA says it is monitoring the affected accounts for any suspicious activity. Bank of America, the nation’s largest card issuer, has assured customers they are at no financial risk if their cards numbers are used.

Neither of the Washington credit union is big enough to qualify for what, by and large, are less rigorous notification requirements. Washington and Idaho exempt businesses from notifying individuals if their numbers exceed certain thresholds, or if the cost would be too great.

If those instances, e-mail to those who have it, Web postings and alerts to statewide media are sufficient.

You could be excused if you were unaware of the TJX breach. There has been relatively little publicity about the matter, and its potential size.

Maybe that’s what they mean by discount.

T.J. Maxx customers can call a toll-free helpline at 1-866-484-6978 for more information, or go to the corporate Web site at www.tjx.com.