A Thing
The Green SheetGreen Sheet

Tuesday, June 30, 2009

TJX settlement reached

On June 25, 2009 TJX Companies Inc. announced it had reached a multi-part settlement with 41 Attorneys General representing multiple states, over the criminal acquisition of cardholder data in its system in 2005 and 2006. In January 2007 TJX reported the breach of its computer system, which compromised millions of credit and debit card numbers.

TJX has held the settlement amount in reserve since 2007.

"Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime," said Jeffrey Naylor, Chief Financial and Administrative Officer for TJX.

According to the terms of the settlement, TJX will:

  • Supply $2.5 million to establish a new Data Security Fund for the plaintiff states
  • Pay $5.5 million, plus an additional $1.75 million to cover the states' investigative expenses
  • Certify that its computer system meets the detailed data security requirements outlined by the states
  • Encourage the development of new technologies to help secure the U.S. payment system

"It's a lot of money – there's no question about it," said Steve Eazell, Vice President of Sales and Marketing for Secure Payment Systems, a Calif.-based ISO. "Is it enough for me to say well I feel safe at T.J. Maxx now?"

He added, "T.J. Maxx wasn't the only one that got breached, but they were the first ones that made national headlines. They probably got hit the hardest because they were the first one that made national attention … I think it's unfair to hold them as accountable as they did, to that level."

The scope

As reported in the April 23, 2007 edition of The Green Sheet ("TJX turbulence: Time to board the PCI ship"), the first intrusion into the TJX system dated back to July 2005, and the attacks continued to occur into 2006.

Cyber criminals belonging to an international crime ring broke through the wired equivalency privacy encryption, giving them access to nearly 100 million complete card numbers stored on TJX's computer system. Eleven of the alleged perpetrators were indicted in August of last year.

"The sheer number of attacks by cyber criminals demonstrates the challenges facing the U.S. payment card system in protecting sensitive consumer data," said Naylor. "This settlement furthers TJX's efforts to unite retailers, law enforcement, banks, and payment card companies to consider installing in the U.S. the proven card security measures that are already in use throughout much of the world."

TJX maintains that it was not in violation of any consumer protection or data security laws when the breach happened. The company said in its June 25 press release that "the decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers."

Setting a standard

Eazell suggested that TJX take a proactive approach to shoring up its security framework, comparing the company to Heartland Payment Systems Inc. (whose processing system was breached in 2008). "Shoot, they look like heroes. Everybody's looking at Heartland, forgetting about the fact that they got breached.

"But I do believe the retailers do need to know that this is very delicate information and they do need to handle it with extra caution because of the nature of what's at stake."

Eazell added that many merchants still don't know enough about data security, and that it's crucial the public be made more aware of the problem.

Breaches like these send ripples that can last years for the consumer, the processor and the retailer, not to mention any third party vendor that's involved. The cost is staggering and can put smaller companies out of business. This judgment is one of financial consequence, but consumer confidence is another matter. Consumers need to know their information is secure, but until the industry can get ahead of the hackers, can we ever guarantee that it is? end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2024 2023 2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing