TJX Reaches Settlement with States on Data Theft

June 25, 2009

The parent company of retailers T.J. Maxx and Marshall’s will pay $9.75 million in a settlement with multiple states related to a massive data theft that exposed tens of millions of payment card numbers.

Framingham, Mass.-based TJX Cos. said Tuesday it will pay $2.5 million to create a data security fund for the states, which include Nebraska, as well as a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states’ investigations. But TJX stressed that it “firmly believes” that it did not violate any consumer protection or data security laws.

Nebraska’s share will be $25,146, said Attorney General Jon Bruning’s office.

TJX said the settlement’s costs are already accounted for in a 2007 reserve it created. According to a filing with the Securities and Exchange Commission filing earlier this month, as of May 2 — before the settlement was announced — the reserve was $39.5 million, the company’s estimate of the total potential costs related to pending litigation, investigations and other costs.

“The decision to enter into this settlement reflects TJX’s desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers,” the company said in a statement.

The breach — disclosed in January 2007 — and exposed at least 45.7 million credit and debit cards to possible fraud in the computer systems breach that began in July 2005. The breach wasn’t detected until December 2006.

Under the settlement with a multistate group of 41 attorneys general, TJX must also certify that its computer system meets detailed data security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.

In April 2008, TJX Cos. offered to set aside $24 million to reimburse customers who through their MasterCard credit cards were defrauded because of a data breach last year. A similar agreement was made with Visa-card issuing banks the prior November for up to $40.9 million to help banks cover costs including replacing customers payment cards and covering fraudulent charges.

In January, TJX Cos. offered a 15 percent discount to its customers during a “Customer Appreciation” day to reward customers’ loyalty as the company dealt with the breach.

Eleven people were indicted last year on charges they hacked into the systems of TJX and other major retailers to steal the card numbers. TJX said to date, two of those indicted pleaded guilty, and two others have pleaded guilty to related charges.

TJX runs 882 of its namesake stores, 811 Marshalls, 322 HomeGoods and 141 A.J. Wright stores in the U.S. It has 203 Winners, 75 HomeSense and 3 Stylesense stores in Canada and 242 T.K. Maxx and 8 HomeSense stores in Europe.

Topics Cyber Fraud

Was this article valuable?

Here are more articles you may enjoy.