TJX offers $40.9 million breach settlement

By Bill Brenner, Senior News Writer 03 Dec 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

TJX Cos. Inc. is offering to pay Visa card issuers $40.9 million to compensate for costs connected to the massive data security breach the retailer first disclosed in January. The move, designed to save the company many millions of dollars in lawsuit damages, comes on the heels of a decision in U.S. District Court in Boston to reject the class-action status banking associations sought in their lawsuits against the company.

We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims. Ellen Richey, head of global risk management, Visa Inc.

In a statement released Friday, Framingham, Mass.-based TJX said it will pay up to $40.9 million to fund the "alternative recovery" program, which requires a certain level of participation by issuers for the offer to be finalized. Visa Inc. is supporting the proposal.

"We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims," Ellen Richey, head of global risk management for Visa Inc., said in a statement. "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. Additionally, it's clear the impact of a data compromise harms all payment system stakeholders -- merchants, banks and consumers alike. We hope one outcome of this resolution is recognition that a greater investment in security is good business."

All U.S. Visa card issuers who were forced to issue new cards and address fraudulent activity are eligible for financial compensation this calendar year if they participate in the program. Banks have until Dec. 19 to decide whether to accept the offer.

The offer was made within hours of the Boston court's decision not to grant class-action status for lawsuits a number of banking associations have brought against TJX. In his ruling, Judge William G. Young expressed "serious doubts" about whether the TJX litigation fit the proper parameters of class-action status. Furthermore, he wrote, "This Court is uncertain that the class definition set forth in the amended complaints is proper because … in many instances it will not be obvious that an issuing bank's injuries occurred 'as a result of the data breaches' as opposed to an unrelated fraud."

TJX data security breach: TJX breach may have compromised more than 94 million accounts The security breach at TJX compromised 94 million accounts -- far more than the 45 million TJX has acknowledged -- a banking group claims in court filings. Don't blame PCI DSS for TJX troubles, IT pros say: Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines. Should TJX really be worried about data breach fallout? Though more than 94 million accounts may have been compromised in the TJX data security breach, customers remain faithful. That doesn't mean companies can relax their standards.

Nevertheless, the judge encouraged the plaintiffs to take their claims to Massachusetts Superior Court's business law division, and said his decision on class-action status could change after a scheduled Dec. 11 hearing on a separate motion as to why the banks are entitled to recover funds.

The Massachusetts Bankers Association said in a statement on its Web site that it's studying the decision and that "this is only one step in a long, complicated case and we are looking forward to the next hearing date on Dec. 11 when the court will consider important pending motions that we believe are related to class certification. Nothing in the decision discusses or addresses the conduct of TJX."

The banks that are suing TJX claim that more than 94 million accounts were compromised in the breach TJX first disclosed in January. That number includes 65 million Visa account numbers and 29 million MasterCard numbers.

In a report Canadian privacy officials released in September, TJX was criticized for collecting far too much consumer data for far too long while failing to upgrade its Wi-Fi security to the stronger WPA encryption protocol.

At the time of the breach, TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.

TJX has maintained that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The attackers began their assault on TJX by exploiting Wi-Fi weaknesses outside a couple of TJX stores.

Tags: Identity Theft and Data Security Breaches,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Data Privacy and Protection How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Kodak CISO on virtualization, compliance Federal efforts to secure cyberinfrastrucure Attackers cash in on fundamental data handling mistakes, Verizon finds RSA panel to discuss surveillance, privacy concerns Mass. officials explain new data protection regulations HIPAA changes force healthcare to improve data flow Data Privacy and Protection Research Identity Theft and Data Security Breaches How to prevent and build protection against online identity theft Heartland breach highlights PCI limitations FBI investigates coordinated ATM scam Encrypt now to meet new Mass. data protection law Recovery plans essential for preventing data loss disasters Internal auditors and CISOs mitigate similar risks Cybersecurity expert sees PCI DSS problems ahead for retailers PCI is about eliminating data, not securing it, former QSA says Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes Identity Theft and Data Security Breaches Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary