The parent company of T.J. Maxx, Marshalls and A.J. Wright stores has agreed to pay Connecticut $391,023 as part of a settlement regarding a security breach in which hackers stole the credit and debit card account numbers of at least 19,000 state consumers from the company's computer systems.
The settlement with Framingham, Mass.-based TJX Cos. Inc. requires the company to pay $9.75 million to 41 states and upgrade its data security systems. An investigation by attorneys general that included Connecticut's Richard Blumenthal concluded that TJX failed to take proper steps to protect consumer data and meet industry security standards.
Nationwide, more than 94 million credit and debit card numbers were stolen from the company's computer systems, Blumenthal said, by what has been termed the largest identity theft ring in U.S. history.
"TJX's sieve-like security was a dream come true for identity thieves — and a nightmare for consumers," Blumenthal said. "The company must now upgrade and up-armor its defenses to properly protect information."
TJX has stressed that it "firmly believes" that it did not violate any consumer protection or data security laws.
Federal authorities charged 11 people last August following a three-year investigation in which agents tracked leads from China to Ukraine. The ring had also hacked the systems of Barnes & Noble, Sports Authority, BJ's Wholesale Club, OfficeMax, Boston Market, Forever 21 and the shoe-store chain DSW.
The trail led to Albert Gonzalez, an informant for the U.S. Secret Service who apparently served as the ringleader and double-crossed the agency by tipping off his cohorts.
TJX discovered the security breach in late 2006, but it apparently began in 2005.
An Associated Press report is included in this story.