News Stay informed about the latest enterprise technology news and product updates.

TJX offers $40.9 million breach settlement

Banks have until Dec. 19 to decide whether to accept TJX's $40.9 million settlement offer to cover costs connected to the retailer's massive data breach.

TJX Cos. Inc. is offering to pay Visa card issuers $40.9 million to compensate for costs connected to the massive data security breach the retailer first disclosed in January. The move, designed to save the company many millions of dollars in lawsuit damages, comes on the heels of a decision in U.S. District Court in Boston to reject the class-action status banking associations sought in their lawsuits against the company.

We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims.
Ellen Richey,
head of global risk managementVisa Inc.

In a statement released Friday, Framingham, Mass.-based TJX said it will pay up to $40.9 million to fund the "alternative recovery" program, which requires a certain level of participation by issuers for the offer to be finalized. Visa Inc. is supporting the proposal.

"We believe issuers will benefit greatly by participating in this program because it offers immediate recovery on their data breach claims," Ellen Richey, head of global risk management for Visa Inc., said in a statement. "This agreement demonstrates the importance of retailers and the payment card industry working together to protect cardholder data. Additionally, it's clear the impact of a data compromise harms all payment system stakeholders -- merchants, banks and consumers alike. We hope one outcome of this resolution is recognition that a greater investment in security is good business."

All U.S. Visa card issuers who were forced to issue new cards and address fraudulent activity are eligible for financial compensation this calendar year if they participate in the program. Banks have until Dec. 19 to decide whether to accept the offer.

The offer was made within hours of the Boston court's decision not to grant class-action status for lawsuits a number of banking associations have brought against TJX. In his ruling, Judge William G. Young expressed "serious doubts" about whether the TJX litigation fit the proper parameters of class-action status. Furthermore, he wrote, "This Court is uncertain that the class definition set forth in the amended complaints is proper because … in many instances it will not be obvious that an issuing bank's injuries occurred 'as a result of the data breaches' as opposed to an unrelated fraud."

TJX data security breach:
TJX breach may have compromised more than 94 million accounts The security breach at TJX compromised 94 million accounts -- far more than the 45 million TJX has acknowledged -- a banking group claims in court filings.

Don't blame PCI DSS for TJX troubles, IT pros say: Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines.

Should TJX really be worried about data breach fallout? Though more than 94 million accounts may have been compromised in the TJX data security breach, customers remain faithful. That doesn't mean companies can relax their standards.

Nevertheless, the judge encouraged the plaintiffs to take their claims to Massachusetts Superior Court's business law division, and said his decision on class-action status could change after a scheduled Dec. 11 hearing on a separate motion as to why the banks are entitled to recover funds.

The Massachusetts Bankers Association said in a statement on its Web site that it's studying the decision and that "this is only one step in a long, complicated case and we are looking forward to the next hearing date on Dec. 11 when the court will consider important pending motions that we believe are related to class certification. Nothing in the decision discusses or addresses the conduct of TJX."

The banks that are suing TJX claim that more than 94 million accounts were compromised in the breach TJX first disclosed in January. That number includes 65 million Visa account numbers and 29 million MasterCard numbers.

In a report Canadian privacy officials released in September, TJX was criticized for collecting far too much consumer data for far too long while failing to upgrade its Wi-Fi security to the stronger WPA encryption protocol.

At the time of the breach, TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.

TJX has maintained that at least 45.7 million credit and debit cards were stolen over an 18-month period by hackers who managed to penetrate its network. The attackers began their assault on TJX by exploiting Wi-Fi weaknesses outside a couple of TJX stores.

Dig Deeper on Data security breaches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.