TJX reaches settlement on data breach

This article was originally on a blog post platform and may be missing photos, graphics or links. See About archive blog posts.

Retail giant TJX Cos. will pay $9.75 million to 41 states -- including California -- to settle an investigation of a massive data breach that jeopardized millions of payment card numbers.

TJX, the parent company of T.J. Maxx and Marshalls chains, will pay $7.25 million in settlement and investigation costs. Another $2.5 million will go to create a data security fund for states.

California’s share is $624,393.

In January 2007, TJX disclosed that hackers had tapped into TJX computer systems, which stored about 50 million customers’ credit and debit card numbers. The breach wasn’t detected for more than a year.

The Framingham, Mass., company emphasized in a news release today that it “firmly believes it did not violate any consumer protection or data security laws.”

California Atty. Gen. Jerry Brown had a different take, citing TJX’s 2004 internal audit, which found security vulnerabilities.

‘TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people,’ Brown said in a statement. ‘This agreement requires the company to carefully test its security systems and upgrade them to the highest contemporary standards.”

Jeffrey Naylor, TJX chief financial officer, said the settlement would allow TJX and the attorneys general to take “leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry.”

In California, TJX operates 103 Marshalls stores, 73 T.J. Maxx stores, 31 HomeGoods stores and seven A.J. Wright stores.

Eleven people were arrested on the hacking charges. Two individuals pleaded guilty, and another two have pleaded guilty to related charges, a TJX news release said.

- W.J. Hennigan