Updated March 21 at 11:30 a.m. ET with details about stolen TJX data reportedly being used before the security breach was discovered.
TJX Companies Inc. continues to suffer the consequences of a massive data breach that exposed sensitive customer data to possible identity fraud. The retail giant now faces a lawsuit from one of its larger shareholders.
The Arkansas Carpenters Pension Fund owns 4,500 shares of TJX stock, and TJX denied its request to access documents outlining the company's IT security measures and its response to the data breach.
The shareholder filed the lawsuit in Delaware's Court of Chancery Monday afternoon under a law permitting shareholders to sue for access to corporate documents in certain cases, The Associated Press reported. The pension fund wants the records to see whether TJX's board has been doing its job in overseeing the company's handling of customer data, the news agency said.
This isn't the first lawsuit filed over the TJX security breach. In late January, a West Virginia woman filed a class action lawsuit against the company. She accused the retailer of negligence for not doing enough to secure customer data and for keeping quiet about the breach for a month.
"Because of TJX's actions, hundreds of thousands or even millions of its customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages," according to the woman's lawsuit, which seeks credit monitoring services and any damages incurred by affected customers.
Framingham, Mass.-based TJX acknowledged in January that an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions.
The TJX breach was worse than first thought, TJX officials recently admitted. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation has turned up evidence that the thieves also were inside the network several other times, beginning in July 2005. The Federal Trade Commission (FTC) confirmed last week that it's investigating the data breach.
TJX violated some of the basic tenets of the PCI Data Security Standard (PCI DSS), several PCI auditors told SearchSecurity.com recently, and the company will pay a heavy financial price. They said companies should study the TJX security breach for clear lessons on what not to do with customer data.
The Massachusetts Bankers Association has reported that several of its member banks have been affected by fraudulent transactions associated with the TJX data breach.
The stolen data has reportedly been used to make purchases in Florida, Georgia and Louisiana as well as Hong Kong and Sweden, for example. In addition, credit card issuers have contacted at least 60 banks about compromised cards.
Law enforcement officials in Florida, meanwhile, claim thieves were using customer data from TJX last November for a gift card scheme -- a month before TJX learned of the breach.