Skip to main content

TJX reaches data theft settlement


Framingham, Mass. TJX Cos. said Tuesday it will pay $2.5 million to create a data security fund for states, as well as a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states' investigations. But TJX stressed that it "firmly believes" it did not violate any consumer protection or data security laws.

TJX said the settlement's costs are already accounted for in a 2007 reserve it created. According to a filing with the Securities and Exchange Commission filing earlier this month, as of May 2 -- before the settlement was announced -- the reserve was $39.5 million, the company's estimate of the total potential costs related to pending litigation, investigations and other costs.

"The decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers," the company said in a statement.

The breach was disclosed in January 2007 and exposed at least 45.7 million credit and debit cards to possible fraud in the computer systems breach that began in July 2005. The breach wasn't detected until December 2006.

Under the settlement with a multi-state group of 41 attorneys general, TJX must also certify that its computer system meets detailed data security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.

In April 2008, TJX Cos. offered to set aside $24 million to reimburse customers who through their MasterCard credit cards were defrauded because of a data breach last year. A similar agreement was made with Visa-card issuing banks the prior November for up to $40.9 million to help banks cover costs including the replacement customer payment cards and covering fraudulent charges.

This ad will auto-close in 10 seconds