TJX Companies Inc., which has undergone a barrage of lawsuits as a result of a massive data breach of its systems, agreed to pay $9.75 million, settling a lawsuit brought on by attorneys generals from 41 states.
- Jon Oltsik, Senior Analyst Enterprise Strategy Group
The parent company of T.J. Maxx and Marshall stores, disclosed in January 2007 that its systems were hacked, exposing at least 45.7 million credit and debit cards to possible fraud. Under the terms of the settlement, the company will pay $2.5 million to create a data security fund for states and a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states' investigations.
In addition, TJX said it agreed to certify that TJX's computer system meets detailed data security requirements specified by the states; and encourage the development of new technologies to address systemic vulnerabilities in the U.S. payment card system.
"Under this settlement, TJX and the attorneys general have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the U.S. payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cybercrime," Jeffrey Naylor, chief financial and administrative officer of TJX said in a statement.
Naylor reiterated TJX stance throughout the incident that the company did not violate any consumer protection or data security laws. "The decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers," the company said.
Cybersecurity hearing highlights inadequacy of PCI DSS: Lawmakers call the PCI standard lacking and seek significant improvements to the payment processing infrastructure to enhance security.
Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.
According to investigators, over an 18-month period, hackers exploited a hole in TJX's Wi-Fi network and used a modified sniffer program to monitor and capture data from TJX's transaction systems. Investigators said TJX was using the Wired Equivalent Privacy (WEP) encryption protocol, an older security standard. Wi-Fi Protected Access (WPA) replaces the original WEP security standard. It is compatible with the latest standard, IEEE 802.11i, referred to as WPA2.
Eleven indictments were announced by the United States Attorney in 2008. To date, two of those indicted have pled guilty and two other individuals have pled guilty to related charges.
"This was a self inflicted wound and certainly TJX has done a lot of work since the breach, but the breach itself was the result of poor processes and negligence," said Jon Oltsik, senior analyst at Enterprise Strategy Group.
Although TJX became the poster child of what could happen when a company suffers a massive breach, Oltsik said it will likely take a breach of intellectual property and other sensitive data that puts a company out of business before every firm takes data security seriously. There have been other massive breaches since, Heartland Payment Systems Inc. is in the midst of a data breach investigation affecting millions of cardholders and Hannaford Supermarket investigators discovered malware that bilked 4.2 million credit and debit card numbers from the grocer's systems.
"The difference between TJX and any other company is just the luck of the draw. They had areas where they were not compliant with PCI DSS but most companies do if you look close enough," said Ed Moyle, co-founder of IT consultancy Security Curve, security solutions manager at integrator CTG. "Some of these environments are quite complex, especially with brick and mortar retail outlets."
The Payment Card Industry Data Security Standards (PCI DSS) addressed security of cardholder data. But Oltsik said its unclear how much fraud there is in the audit process as there is relatively little oversight from people outside the payment transaction industry.
"PCI is a pretty good first start, but there's plenty of room for abuses and for fraud," Oltsik said.
Lawmakers have gotten involved with dozens of states passing data breach notification rules and two states, Massachusetts and Nevada, targeting data security with encryption rules. The federal government has approached the problem on an industry basis, clamping down on the healthcare industry with stronger HIPAA rules and addressing problems in the financial industry. By contrast, the European Union approached the issue, taking a privacy approach.
In December 2007, TJX settled a lawsuit from dozens of banks, agreeing to pay out $40.9 million to cover costs connected to the retailer's massive data breach. The banking groups claimed in a lawsuit that the breach compromised 94 million accounts, far more than the 45.7 million figure announced by TJX.
The company also settled various class-action lawsuits brought on by customers who claimed they were victims of the breach. The company agreed to offer affected customers three years of credit monitoring services and identity theft insurance.