TJX Settles With 41 States Over Data Security Breach
TJX Companies Inc. said on Tuesday that it has settled with a multi-state group of 41 Attorneys General, resolving the states’ investigations into a massive data breach in TJX’s computer system.
The data theft, which the company revealed in January 2007, exposed tens of millions of payment card numbers to an international ring of cybercriminals. At least 45.7 million credit and debit cards were exposed to possible fraud in the breach that began in July 2005, the discount retailer said. The breach wasn’t detected until December 2006.
TJX, parent company of Marshall’s and T.J. Maxx, said it will pay $2.5 million to establish a data security fund for the states, in addition to a settlement amount of $5.5 million and $1.75 million to reimburse the states for expenses related to their investigations of the breach.
“This settlement furthers our goal of enhancing consumer protection, which has been central to TJX. Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime,” said Jeffrey Naylor, Chief Financial and Administrative Officer of The TJX Companies, Inc.
Despite the settlement, TJX insisted it "firmly believes" it did not violate any data security or consumer protection laws.
"The decision to enter into this settlement reflects TJX’s desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers," the company stated.
“The sheer number of attacks by cyber criminals demonstrates the challenges facing the U.S. payment card system in protecting sensitive consumer data. This settlement furthers TJX’s efforts to unite retailers, law enforcement, banks, and payment card companies to consider installing in the U.S. the proven card security measures that are already in use throughout much of the world,” Naylor said.
The settlement also calls for TJX to certify that its computer system meets stringent data security requirements specified by the states. The company must also encourage the development of new technologies to address systemic vulnerabilities in the U.S. payment card system.
Within the United States, TJX operates 882 of TJ Maxx stores, 811 Marshalls, 322 HomeGoods and 141 A.J. Wright stores. The Framingham, Mass.-based company has 203 Winners, 75 HomeSense and 3 StyleSense stores in Canada and 242 T.K. Maxx and 8 HomeSense stores in Europe.
The company said the cost for the settlement is already reflected in the reserve it established in 2007.
Shares of TJX stock fell 23 cents to $30.55 in afternoon trading.
—
On the Net: