HarborOne Credit Union in Brockton, Mass., has sent The TJX Companies an invoice for US$590,000 for what the financial institution says it incurred in actual costs and reputational damage as a result of the data compromise disclosed by the retailer in January.The bill was sent to TJX on April 30, but the company so far has not responded or commented on it in any fashion, said James Blake, president and CEO of the 100,000-member, $1.4 billion credit union.“The bill was for both direct operational costs that we incurred reissuing new debit cards to our customers, as well as the costs to us from a reputational standpoint,” he said. According to Blake, the TJX breach resulted in HarborOne having to block and reissue about 9,000 cards at a cost of about $90,000. The remaining $500,000 is what Blake believes the breach cost the credit union in terms of brand damage.“We had to notify customers of the fact that their account was breached. There were some questions on their part whether or not we were responsible [for the breach] when in fact it was TJX’s responsibility,” Blake said. Rather than pursue a formal lawsuit against TJX for the amount, HarborOne has decided to give TJX a chance to do the “morally” right thing he said. “Whether they will is another issue. They have chosen not to respond to any of our communications. They have run from the problem from the very beginning.”According to Blake, in the past year alone, HarborOne has had to reissue debit cards more than 30 times to customers as a result of data breaches at various retailers. “You can understand why we are a little upset about this,” he said. A spokesperson from TJX did not immediately respond to a request for comment.HarborOne’s action comes amid growing pressure from credit unions and other financial institutions around the country to get retailers to take financial responsibility for data compromises. Credit union associations in various states are vigorously lobbying lawmakers to approve bills that would require retailers to implement stronger data-security measures and to reimburse costs associated with reissuing payment cards after a breach.One such bill is the Plastic Card Security Act that was signed into law in Minnesota last month after being actively pushed by the Minnesota Credit Union Network. And the California Credit Union League is now pushing a bill similar to the one in Minnesota. Other states, including Texas and Connecticut, have considered similar proposals recently.Blake, who is chairman of the Massachusetts Credit Union League, welcomed such proposals but said such measures need to be considered at the federal level.—Jaikumar Vijayan, Computerworld (US online) Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe