Retail giant TJX Cos. agreed Tuesday to pay $9.75 million to 41 states including California to settle an investigation of a massive data breach that jeopardized millions of payment card numbers.
TJX, the parent company of the T.J. Maxx and Marshalls discount clothing chains, will pay $7.25 million in settlement and investigation costs. In addition, $2.5 million will go to create a data security fund for those states. California's share is $624,393.
In January 2007, TJX disclosed that hackers had tapped into its computer systems, which stored about 50 million customers' credit and debit card numbers. The breach wasn't detected for more than a year.
The Framingham, Mass., company emphasized in a news release that it "firmly believes it did not violate any consumer protection or data security laws."
California Atty. Gen. Jerry Brown had a different take, citing TJX's 2004 internal audit, which found security vulnerabilities.
"TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people," Brown said in a statement. "This agreement requires the company to carefully test its security systems and upgrade them to the highest contemporary standards."
TJX's chief financial officer, Jeffrey Naylor, said the settlement would allow TJX and the states' attorneys general to take "leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry."
Eleven people were arrested on the hacking charges. Two pleaded guilty, and two have pleaded guilty to related charges, TJX said.
In California, TJX operates 103 Marshalls stores, 73 T.J. Maxx stores, 31 HomeGoods stores and seven A.J. Wright stores.