In a sequel to the biggest-ever data security breach in the US,
TJX Companies, the parent company of TK Maxx, Marshalls, and other
retailers, has settled with the bankers associations of
Massachusetts and Connecticut, the Maine Association of Community
Banks and three community banks, Eagle Bank, Saugusbank and
Collinsville Savings Society. Though no amount was specified, TJX
has agreed to reimburse the settling plaintiffs for a negotiated
portion of the costs and expenses they incurred in the case.
In addition to the settlement, TJX has agreed to fund up to
$40.9 million in payments to Visa-issuing banks that may have
suffered damages as a result of the data breach.
Go deeper with GlobalData
Legal action was brought against TJX by the settling plaintiffs
following a security breach reported in January 2007 that resulted
in sensitive details of an estimated 46 million credit and debit
card users who had shopped at the company’s 2085 US retail
locations being stolen and sold to fraudsters. TJX believes its
computer system that manages cheque, credit and debit card
transactions and merchandise returns was first intruded upon in
July 2005 and on other occasions in 2005.
Commenting on the settlement agreement, Daniel Forte, president
of the Massachusetts Bankers Association, said: “This data breach
and the ensuing litigation have clearly initiated an important
nationwide dialogue on the importance of improving the security of
the US payment card system.”
In one notable fraud attempt resulting from the TJX data breach,
police in Florida apprehended criminals who had, according to a
statement issued by the Florida Attorney General’s office, used
stolen credit data they had acquired to produce counterfeit credit
cards that were in turn used to purchase gift cards at WalMart or
Sam’s Club retail outlets. The criminals then redeemed the gift
cards to buy jewelry and electronic equipment. Authorities
estimated a total loss of $3 million could be attributed to the
criminals nationwide. The gang’s ringleader received a five-year
sentence.
At the time of the data breach TJX was not compliant with
payment card industry body the Payment Card Industry’s Data
Security Standard (PCI DSS), a situation it has rectified.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“We are pleased to see the steps undertaken by TJX to improve
the protection of cardholder data. Those steps have resulted in TJX
having recently been certified as fully PCI DSS-compliant by an
independent PCI-approved assessor,” said Forte who added that over
the past six months compliance amongst big retailers had risen from
40 percent to 70 percent. “We believe our case was highly
influential in achieving this progress,” said Forte.
