TJX Settles With 41 States for $9.74 MillionThe TJX Companies, Inc. announced on Tuesday it has settled with a multi-state group of 41 Attorneys General, resolving the states' investigations related to the 2005 breach of TJX's computer system. The breach made headlines, as an estimated 94 million credit card numbers were taken in the hack. The company will pay $9.75 million, including $2.5 million to set up a new Data Security fund to be used by the states.
The cost for this settlement is already reflected in the reserve of $107 million that TJX established in 2007 for potential losses. The company paid $40 million to Visa and $24 million to MasterCard earlier in 2007, and in 2008 the company faced stiff penalties from the Federal Trade Commission, (https://www.bankinfosecurity.com/articles.php?art_id=791) including the stipulation that TJX obtain audits by independent third-party security professionals every other year for 20 years.
The company in a press release announcing the settlement says it agrees to take a leadership role in "exploring new technologies and approaches to solving the systemic problems in the US payment card industry." The company cites this as a problem that continues to plague businesses and institutions and make US consumers worldwide targets for increased cyber crime.
Under the settlement, TJX agrees to:
- Provide $2.5 million to establish a new Data Security Fund for use by the states to advance effective data security and technology;
- Provide a settlement amount of $5.5 million together with $1.75 million to cover expenses related to the states' investigations;
- Certify that TJX's computer system meets detailed data security requirements specified by the states;
- Encourage the development of new technologies to address systemic vulnerabilities in the United States payment card system.
The hackers who were the masterminds behind the TJX breach were finally snared by federal and international law enforcement through forensic investigation after the attacks took place. Eleven indictments were announced by the United States Attorney on August 5, 2008. Two have pled guilty, and two other hackers pled guilty to related charges.