TJX offers US$40.9M settlement over breach

The parent company of TK Maxx has offered to settle with banks for US$40.9 million over the world's largest commercial security breach.
Written by Tom Espiner, Contributor

The parent company of TK Maxx (a leading apparel and fashion design retailer in the United States) in the United Kingdom has offered to settle with banks for US$40.9 million (19.8 million pounds) over the world's largest commercial security breach.

The settlement agreement, which needs to be accepted by 80 percent of Visa issuers to become effective, would guarantee up to a maximum of US$40.9 million pre-tax in "alternative recovery payments", TJX said in a statement.

"We believe this settlement agreement provides a fair resolution of these issues, and look forward to a high issuer acceptance of the proposal,"said Carol Meyrowitz, president and chief executive officer of TJX Companies in a Friday statement. "At TJX, we have learned a great deal about the risks of cyberattacks and have responded aggressively to take our own security to even higher levels."

Each accepting bank will waive certain rights to any other asset recovery from TJX "through litigation or otherwise", according to the statement. Visa will suspend and rescind certain fines imposed on the retailer, while TJX will pilot new payment card security technology and "serve as a spokesperson in support of the goals of the Payment Card Industry--Data Security Standards[PCI-DSS]". These standards govern how data is kept secure during transaction processes.

Visa found TJX to be in PCI-DSS in January, after TJX admitted its systems had been hacked.

TJX admitted in March that 45.7 million customer accounts had been compromised in attacks over two years. Investigators claimed the breaches came as a result of TJX's Wi-Fi network being sniffed and the WEP encryption protocol used by TJX being broken. However, a group of plaintiff banks claimed as part of a lawsuit in October that as many as 96 million credit-card details had been lost.

TJX stated in an SEC filing in July that cyberthieves first accessed its computer systems in July 2005 and installed software to harvest sensitive customer information such as account information, names and addresses, driver's license numbers and military and state identification. The breach continued until mid-January 2007.

Affected accounts included those involved in credit and debit card transactions, as well as cheques and returned merchandise without receipts at the company's Marshalls, TJ Maxx, HomeGoods and AJ Wright stores in the U.S. and Puerto Rico. Credit-card transactions at TJX's Winners and HomeSense stores in Canada, as well as credit and debit card transactions at its TK Maxx stores in Ireland and the U.K., were also compromised.

Editorial standards