Complain about a product or service

TJX Data Breach Settlement Has Strings Attached

Company offers credit monitoring, store credit and discounts as compensation for losses

by Martin H. Bosworth
ConsumerAffairs.com

September 25, 2007

The company says it wants to offer three free years of credit monitoring and identity theft insurance to those affected by the breach, but a closer look at the terms of the settlement shows that only a select few will qualify for the benefit.

The 455,000 TJX customers who were originally confirmed as having had their data stolen in the breach and who returned merchandise to a TJX store without receipts are eligible for the credit monitoring service, provided by Equifax, to total two years on top of the original one-year offer TJX provided.

TJX will also reimburse customers who had to replace driver's licenses as a result of the breach, if they submit written documentation verifying the time and money spent to the settlement claim administrator.

Other customers who submit documentation proving they lost time and money to deal with the effects of the breach are eligible for a TJX store voucher of $30, based on a calculation of $10 lost per hour. The average individual loss from identity theft is $6000 and 600 hours of time.

The company will also hold a special three-day "Customer Appreciation Sale" with a 15 percent discount on all items, sometime in 2008.

The settlement, which still needs to be approved by the court, absolves both the TJX company and its bank, Fifth Third Bancorp, of any wrongdoing or failure to secure customer data."TJX has concluded that further conduct of the Litigation would be protracted and expensive, and that it is desirable that the Litigation be fully and finally settled in the manner and upon the terms and conditions set forth in this Settlement Agreement," said the company.

TJX also offered to have both its own retained independent security expert and the lawsuit plaintiffs' expert conduct examination of TJX's security systems to validate the company's attempt to improve its procedures. But the settlement terms forbid the results of the examination from being made public, "and shall be subject to such confidentiality restrictions as TJX may reasonably require to protect the security of its computer system."

The class action settlement is only directed at lawsuits from customers. TJX still faces lawsuits from banks that had to absorb the costs of cancelling and replacing thousands of credit and debit cards due to the breach.

The TJX breach is alleged to have been caused by hackers using laptops with wireless connections to decode data between payment scanners at stores, a technique called "wardriving." Once inside the TJX database, the hackers purloined the data and sold it in the underground economy that specializes in the selling of stolen personal information across the Internet.

The breach went on for nearly 18 months before being detected in mid-December 2006. Even then, the breach was not publicly disclosed to consumers and the media until January 2007, and the true size of the data breach was not disclosed until February 2007.

Personal data stolen in the TJX breach turned up in an $8 million fraud case in Florida. The thieves used the data to create fake credit cards, then used the credit cards to purchase gift cards from Wal-Mart and buy high-end electronics and other goods. The ringleader of the counterfeiting group, Irving Escobar, was arrested and sentenced to five years in prison, as well as paying $600,000 in restitution for the fraud.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Follow us on Twitter.

Back to the top |