TJX Settles With 41 States for $9.74 Million

The TJX Companies, Inc. announced on Tuesday it has settled with a multi-state group of 41 Attorneys General, resolving the states' investigations related to the 2005 breach of TJX's computer system. The breach made headlines, as an estimated 94 million credit card numbers were taken in the hack. The company will pay $9.75 million, including $2.5 million to set up a new Data Security fund to be used by the states.

The cost for this settlement is already reflected in the reserve of $107 million that TJX established in 2007 for potential losses. The company paid $40 million to Visa and $24 million to MasterCard earlier in 2007, and in 2008 the company faced stiff penalties from the Federal Trade Commission, (https://www.bankinfosecurity.com/articles.php?art_id=791) including the stipulation that TJX obtain audits by independent third-party security professionals every other year for 20 years.

The company in a press release announcing the settlement says it agrees to take a leadership role in "exploring new technologies and approaches to solving the systemic problems in the US payment card industry." The company cites this as a problem that continues to plague businesses and institutions and make US consumers worldwide targets for increased cyber crime.

Under the settlement, TJX agrees to:

  • Provide $2.5 million to establish a new Data Security Fund for use by the states to advance effective data security and technology;

  • Provide a settlement amount of $5.5 million together with $1.75 million to cover expenses related to the states' investigations;

  • Certify that TJX's computer system meets detailed data security requirements specified by the states;

  • Encourage the development of new technologies to address systemic vulnerabilities in the United States payment card system.

The hackers who were the masterminds behind the TJX breach were finally snared by federal and international law enforcement through forensic investigation after the attacks took place. Eleven indictments were announced by the United States Attorney on August 5, 2008. Two have pled guilty, and two other hackers pled guilty to related charges.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.