TJX Facing Multi-State Probe, Mounting Lawsuits Over Data Breach

By | February 12, 2007

Massachusetts’ attorney general said last week that her office was leading a civil investigation by dozens of states into a computer security breach by a hacker who stole customer data from TJX Cos., owner of discount retail chains including T.J. Maxx and Marshalls.

The investigation comes as banks nationwide reissue debit and credit cards to guard against further fraud from the breach, and the Framingham, Mass.-based TJX faces mounting lawsuits from consumers and financial institutions seeking class-action status.

More than 30 states have expressed interest in joining the investigation led by Massachusetts Attorney General Martha Coakley, Coakley spokeswoman Emily LaGrassa said.

Coakley said the investigation by her office’s Consumer Protection Division would examine what security measures TJX took to protect consumer information.

Coakley, whose office has been involved in probes of other similar breaches, said in a news release that TJX has been “very cooperative.”

“We are interested in continuing to work closely with the company so that we can protect Massachusetts consumers and the marketplace from credit card and other fraud,” she said.

A TJX spokeswoman did not immediately return a phone call seeking comment on Coakley’s announcement.

Robin Bloor, a data security consultant with the firm Hurwitz & Associates, predicted TJX would face financial penalties from the government scrutiny.

“TJX ought to expect a fine of some kind and, if justice is served, then the size of the fine will correspond to the extent of the breach and the level of negligence,” Bloor said.

TJX said Jan. 17 that hackers had broken into a system that handles credit and debit card transactions, checks and merchandise returns for customers in the U.S., Canada and Puerto Rico. The intrusion also may have involved customers of T.K. Maxx stores in the U.K. and Ireland.

The breach led to the theft of information from transactions in 2003, as well as from mid-May through December of last year. Fraudulent purchases have been discovered in the U.S. and overseas.

TJX has said it discovered the breach in mid-December, but it waited until Jan. 17 to make the breach public. TJX has said the delay allowed it to work with security experts to contain the problem and strengthen its computer network.

TJX has not publicly estimated how many customers were affected. The Wall Street Journal has reported more than 40 million cards may have been affected, but TJX has said the number was “substantially less than millions.”

TJX is the parent company of more than 2,400 discount stores, including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S., Winners and HomeSense in Canada and T.K. Maxx in Britain.

Since taking office last month, Coakley has said she would make protection of consumer information a top priority during her four-year term.

“The recent TJX data breach demonstrates that Massachusetts citizens do not have all the necessary tools to protect themselves against identity theft or credit card fraud,” Coakley said. “There are several proposals pending, including those that would require notification of consumers when their data was stolen or released, or that would give consumers the right to place a security freeze on their credit reports, which we are interested in reviewing.”

___

On the Net:

TJX Cos.: http://www.tjx.com

Was this article valuable?

Here are more articles you may enjoy.