Thousands of Canadian credit-card holders have been victimized by fraud after a security meltdown at the U.S. parent company of retail chains Winners and HomeSense, according to sources in the financial community.
They suggested that number could rise as banks and other credit-card issuers continue to gather information on what has become one of the most high-profile privacy thefts in recent memory.
"We have seen fraud on some of those accounts that we can directly link back to [the breach]" said an official with one card issuer, who cautioned his company is still determining how many of its clients could be left vulnerable by the hacking incident. He added that issuers are directly contacting any customers whose cards appear to have been used fraudulently.
Last week, TJX Cos. of Framingham, Mass., revealed that a hacker had broken into its computer systems and stolen confidential customer information relating to credit-card and debit transactions.
The Massachusetts Bankers Association said yesterday that some of the private financial data pilfered from TJX were used to make fraudulent purchases in Florida, Georgia and Louisiana, as well as overseas, in Hong Kong and Sweden.
The organization said 60 banks in the state have already been notified of fraudulent activity on their credit and debit cards.
It cautioned that the number is "likely to grow" because less than half of the MBA's 205 members have submitted reports. In some cases, these banks are already reissuing credit cards to their customers, the MBA said.
TJX, which also operates the T.J. Maxx and Marshalls banners in the United States, said it learned of the breach in December, but confirmed that the intruder had accessed credit-card records dating back to 2003.
The company did not disclose how many customers were affected, but some have estimated that between 20 million and 40 million cardholders worldwide could potentially be exposed to fraud. The number of people affected in Canada is thought to be about two million, according to estimates on Bay Street.
Canadian bank officials declined to comment on the breach, which is under investigation by the FBI and the Royal Canadian Mounted Police. A spokeswoman for Visa, which is offered through four of Canada's five largest banks, could not be reached for comment. A spokeswoman for MasterCard was also unavailable for comment.
There have been two major security breaches for Canadians in the past week. The day after TJX made its announcement, the Canadian Imperial Bank of Commerce revealed that it lost a computer hard drive containing credit-card data and other personal information on nearly half a million customers of its Talvest mutual fund unit. Unlike TJX, however, the bank said it had found no evidence that this information was stolen, or that it had been accessed improperly.
Canada's federal privacy commissioner is investigating both incidents.