The parent of TJMaxx and Marshalls will pay $9.75 million and allow an unprecedented three years of state government monitoring of its data security effort to settle an investigation into how hackers swiped 100 million credit and debit card numbers three years ago.
TJX Cos. on Tuesday struck the deal with attorneys general from 41 states. It used some of the $107 million it set aside last year to deal with the fallout of the breach that went on for 17 months in 2006 and 2007. So far, $41 million has gone to reimbursing banks for their losses, and the state settlement will pay for the cost of its inquiry.
Florida, the site of the initial TJMaxx-Marshalls breach and much of the fraud it stirred up, was among five lead states to negotiate the settlement.
After describing TJX as a victim as much as consumers were, Florida Attorney General Bill McCollum said the deal shows he is serious that "companies need to take the appropriate precautions to protect the data with which customers entrust them."
TJX chief financial officer Jeffrey Naylor termed the agreement a sign that the company and state law enforcement officials are resolved to better protect consumer data from hackers. The deal spells out specific steps for TJX to tighten data security, requires notice in 10 days if there is another lapse and earmarks $500,000 for the state to monitor compliance and look into other increasingly common payment card data breaches.
In the TJX case, which started in a parked van outside a Miami Marshalls, hackers tapped into a TJX wireless network that transmits credit and debit numbers between stores and a central data center. They swiped personal information such as the driver's license numbers of 450,000 people who returned merchandise without receipts. Crooks as far away as Sweden and Hong Kong tried to use the card numbers. Police in Gainesville arrested a ring that allegedly implanted the numbers on enough gift cards to buy $3 million in valuables at Wal-Mart and Sam's Clubs.
Usually card issuers eat bogus charges and issue new cards. But customers are angered by the uncertainty of losing money and are not always reimbursed. Many card issuers refuse to tell customer which retailer's system was tapped.
The state settlement follows a recent TJX settlement with the U.S. Federal Trade Commission, but not everybody sees government looking over the payment industry's shoulder as a good thing.
"If it's protecting consumers, that's one thing," said Avivah Litan, a computer security expert with Gartner Research. "But the government should not get out of its league dictating technology solutions. It changes faster than they can keep up."
Mark Albright can be reached at [email protected] or (727) 893-8252.