Banks file data breach suit against TJX

The Massachusetts Bankers Association, a trade group, announced that it is filing a class action lawsuit against retailer TJX over a data breach that put more than 45 million credit and debit cards holders at risk of having their financial information accessed.

The bankers association, along with the Connecticut Bankers Association and Maine Association of Community Banks, filed the lawsuit in the U.S. District Court in Boston. The three banking associations represent almost 300 banks and are seeking to recover "tens of millions of dollars" in damages, according to the filing. Last month, TJX announced it discovered a data breach of its customers' records that spanned a two-year period.

[ssidner]

This opens Pandora's Box

TJX will hire some smart lawyers. They will bring up two dirty little secrets, that aren't really secrets:

1) The PCI designed a flawed system that has the Sensitive Cardholder Data flying around in the clear. If the PINs can be encrypted in the POS terminals, why isn't the rest of the data?

2) The card networks and the issuers, the plantiffs in the suit, are not required to encrypt Sensitive Cardholder Data and most don't. In fact the settlement files that fly around the networks at night are never encrypted - they are delivered to the acquirers and merchants systems in the clear. The PCI has no current plans to encrypt them.

The PCI is an issuer organization. For a group of issuers to sue the poor merchants is an indication of how powerful and arrogant the PCI is.

I'm guessing that the rest of the retail industry that is currently sueing the PCI over interchange fees will come to the aid of their brother, TJX.

This will all come out in court, because why should TJX pay for the PCI's mistakes?

It will be verrryyyy interesting to watch it all go down.