By  on June 23, 2009

The bill for a three-year-old computer break-in at The TJX Cos. Inc. got $9.8 million steeper Tuesday when the company revealed a settlement with the attorneys general of 41 states.

The agreement puts an end to the states’ investigations into the retailer’s culpability in the massive security breach, through which hackers stole information on 45.7 million credit and debit cards from the company’s computer systems during 2005 and 2006, TJX said.

Under the terms of the arrangement, the Marshalls and TJ Maxx parent will pay a $5.5 million settlement, $2.5 million to establish a data security fund and $1.8 million to cover the states’ investigation costs.

The attorneys general will decide how to allocate the money in their respective states, but a company spokeswoman said provisions in the agreement called for funds to go towards consumer protection measures. The deal further calls for the off-price operator to certify its computer systems to meet states’ requirements and encourage new technologies that fight electronic card fraud.

The company said Tuesday it believes it did not violate any consumer protection or data security laws, but decided to resolve the matter to avoid further distraction. It said it would pay for the settlement through an after-tax reserve fund of $107 million it established in 2007 to deal with costs related to the breach.

TJX has been navigating the fallout from the security compromise since it went public with the news in January 2007. In December 2007, it agreed to fund up to $40.9 million in recovery payments at banks representing more than 95 percent of the Visa cardholders whose information was stolen. In March 2008, it settled a Federal Trade Commission complaint and agreed to submit to an independent audit of its computer security every two years for the next 30 years. In April 2008, it agreed to a $24 million payment to MasterCard.

Last August, the Justice Department indicted 11 people for their roles in the thefts, which then-U.S. Attorney General Michael Mukasey called “the single largest and most complex identity theft case ever charged in this country.”

According to the indictment, members of the conspiracy targeted TJX and other retailers, such as Forever 21 and DSW, by inserting packet-sniffing software that harvested customers’ financial information.

The crew also gained access to the driver license and social security numbers of up to 450,000 customers who returned goods without a receipt, TJX allowed at the time. The plot’s alleged ringleader, Miami resident Albert Gonzalez, pleaded not guilty in U.S. District Court in Brooklyn, N.Y., in September and is awaiting trial.

To Read the Full Article

Tap into our Global Network

Of Industry Leaders and Designers

load comments
blog comments powered by Disqus