TJX reaches $9.75 million breach settlement with 41 states

More than two years after TJX Companies Inc. acknowledged that it was hit with a massive data breach, the Framingham, Mass.-based retailer agreed to boost its security measures and pay 41 states nearly $10 million to cover the costs of investigating the incident.

Under the terms of the settlement announced yesterday, TJX will pay the states a total of $7.25 million for the investigations and will also create a $2.5 million data security fund available to the states for projects that "advance" effective data security and technology, the company said in a statement.

The settlement also requires that TJX certify that its computer systems meets "detailed data security requirements" prescribed by the states, and that it "encourage" the development of new technologies that can better secure payment card data.

TJX, which operates the retail chains like T.J. Maxx, Marshalls and Bob's Stores, disclosed in January 2007 what was widely seen at the time as the biggest breach of payment cards ever. The company had said that at least 45 million cards were exposed in the breach, and that the total could have been as high as 94 million cards.

The payment cards were compromised by intruders who broke into the TJX Companies networks via poorly configured wireless access points at some of its stores in Florida.

In a statement yesterday, TJX insisted that it did not violate any consumer or data protection laws in connection with the breach. The company said it agreed to the settlement because it wanted to "concentrate on its core business without distraction".

To date, 11 people have been charged on ID theft and computer fraud counts in connection with the case, and at least two have pleaded guilty. Three of the 11 are U.S. citizens while the rest are from Estonia, Ukraine, China and Belarus.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine