The recent breach of security involving consumer debit and credit card accounts from The TJX Cos. has affected local financial institutions such as Mutual Bank in Whitman.

A computer hacker who obtained information on anywhere from 200,000 to millions of consumer debit and credit card accounts from The TJX Cos., possibly as far back as last May, set off a chain reaction of card cancellations, at least one class-action consumer lawsuit and renewed calls for increased protections to both consumers and card-issuers after the company officially announced the intrusion on Jan. 17.

At least 60 banks in the Bay State to date have reported they’ll have to reissue cards to their customers at a cost of $3 to $15 per card, according to the Massachusetts Bankers Association.

The trade group, which represents all 205 banks in the commonwealth, refused to estimate the potential total dollar damage to Massachusetts banks, except to say that “the cost is sure to be in the millions statewide.”

MBA Director of Communications Bruce Spitzer said not all banks had yet reported in, and said there were too many variables involved.

Mutual Bank in Whitman said it would have to reissue approximately 800 cards at a cost of $3 per card, plus the “soft costs” associated with bank employees who identified which cards were compromised – about 10 percent of the bank’s total number of cards in the field. The bank has called customers to inform them.

“The cost comes from the bank operating fund, ultimately,” said Chairman and Chief Executive Officer Glen S. White. He said that cost also doesn’t take into account any fraudulent transactions the bank is responsible for paying a retailer if an unauthorized purchase occurs.

“We seem to be the ones who always get the short end,” he said.

TD Banknorth, a regional bank based in Portland, Maine, with more than 150 Massachusetts branches, would only say that a “significant” number of cards are involved in the data breach. A spokeswoman said the cost to replace them “will vary depending on our approach.”

The TJX data breach compromised the personal financial information of customers who shopped at TJX stores in the United States, Canada, Puerto Rico and possibly the United Kingdom and Ireland. Stores from which data was obtained included U.S. and Puerto Rican chains T.J. Maxx, Marshalls, HomeGoods and A.J. Wright; Canadian retailers Winners and HomeSense; and T.K. Maxx in the United Kingdom and Ireland. It also may have included Bob’s Stores in the United States.

Massachusetts banks began reporting fraudulent use of their customers’ debit and credit card information on Jan. 24. To date, the data has been used fraudulently in Florida, Georgia and Louisiana in the United States and in Hong Kong and Sweden overseas, according to MBA.

Data obtained included account numbers, expiration dates, personal identification numbers and other verification information – including, in a few cases, driver’s license information, MBA said. According to Computerworld, the data involved transactions processed during 2003 and between May and December 2006, and included all major card brands accepted by TJX, including Visa, MasterCard, American Express and Discover.

The data was older than retailers’ contracts with credit card companies allow, according to MBA President Daniel J. Forte.

A Visa spokesman said he could not comment on the contracts, but provided a statement from a company vice president, Rosetta Jones, who said Visa had “provided affected account numbers to financial institutions so they can take steps to protect consumers.”

“In addition, Visa is risk-scoring all transactions in real time, helping card issuers better distinguish fraudulent transactions from legitimate ones,” she said.

Unfair Burden
Computerworld also reported that the storage of the information TJX had, on point-of-sale systems, is forbidden under the Payment Card Industry Data Security Requirements prompted by previous data breaches at other retailers, put in place in 2005 and pushed by major credit card companies – although only about 50 percent of the nation’s largest retailers are in compliance with those rules.

“[TJX was] holding data that they never should have been holding in the first place,” Forte said. “One, it was old, and two, why were they holding on to driver’s licenses?

“If they were going to keep that data, which they are not supposed to, it needs to be encrypted,” he added.

Forte said that while it’s good that Visa and MasterCard have “zero liability” policies in place for affected consumers, it is unfair that the cost of fraud is passed along to banks, which did not allow data to be compromised.

“The cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules, resulting in fraud,” he said. “Does this make sense?”

MBA is supporting pending state and federal legislation that would put the cost in the hands of retailers, he said.

Forte said the cost to banks is beyond financial, explaining that their reputations suffer when they deliver the bad news to a consumer that his or her credit card has been compromised.

However, Mutual Bank Marketing Director Christine Grundy said bank employees found its customers were “overwhelmingly thrilled that we called. People are so security-conscious Â… I think that they see us as an ally.”

MBA is taking a harder-line stance today than it did in 2004, following a similar data breach involving national retail chain BJ’s Wholesale Club.

MBA Executive Vice President and Chief Operating Officer Kevin Kiley said he heard estimates that banks and credit unions spent upward of $25 million to reissue credit and debit cards following that breach.

A few months after that incident, MBA initiated its New England Debit Card Task Force, which Kiley chairs and which now includes banking trade associations from the New England states, individual community bankers and representatives from the American Bankers Association, America’s Community Bankers, Independent Community Bankers of America and California Bankers Association.

The task force has the primary goal of protecting consumers and seeking to moderate the impact and costs of data compromises on banks.

Data compromises are more prevalent than ever, Forte said, meaning the rules and procedures have to change in response. He cited the recent example of The Boston Globe, which in January 2006 inadvertently wrapped newspaper bundles distributed to retailers and carriers with routing slips printed on recycled paper that contained credit card and checking account information for 240,000 customers.

Also last year, according to published reports, a data breach at another unidentified retailer, which some believe to be OfficeMax, forced major banks and credit unions to cancel and reissue thousands of cards.