Complain about a product or service

TJX Settles with FTC Over Data Breach

Nearly 100 million consumers may have been affected

By Martin H. Bosworth
ConsumerAffairs.com

April 1, 2008

"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," said FTC Chairman Deborah Platt Majoras. "Information security is a priority for the FTC, as it should be for every business in America."

Under the terms of the settlement, Framingham, Massachusetts-based TJX must immediately upgrade and implement comprehensive security procedures, and must submit to audits by third-party security experts every other year for twenty years.

No fines or penalties were levied due to the agency's inability to do so under the FTC Act, according to agency spokespersons.

Trail of theft

The FTC complaint stemmed from the discovery that hackers using laptops enabled with wireless Internet connections were able to intercept data transmitted between hand-held payment scanners at TJX stores as the hackers drove by.

The hackers were able to obtain the credit and debit card numbers of millions of customers, with the final total estimated as high as 94 million according to Visa. Visa estimated it had suffered $65 to $83 million in financial losses stemming from fraud caused by the theft.

More than 455,000 customers who returned merchandise to TJX stores had their personal information stolen during the breach, which had been ongoing for at least ten months prior to its discovery in December 2006.

Data taken during the breach later turned up in a case of fraud in Florida, where a ring of thieves used the data to create "clone" credit cards, then purchased gift cards from Wal-Mart which they then loaded and used to purchase expensive consumer goods.

Among the charges levied against TJX by FTC, the agency claimed that the retailer "did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to in-store networks without authorization," and that it "failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by patching or updating anti-virus software or following up on security warnings and intrusion alerts."

Unscathed

Although the TJX data breach was thought to be a watershed moment for the issues of identity theft and data security in the U.S., the retailer itself has emerged from the scandal largely unscathed.

The company offered a settlement to customers affected by the data breach in September 2007, which largely consisted of a special three-day "customer appreciation sale" and extended offers of credit monitoring for affected individuals, as well as store vouchers for customers who could document they were harmed by the breach. Attorneys General of ten states voiced their opposition to the proposed settlement, saying it benefitted the retail chain more than the customers.

TJX later settled Visa's charges against it for $41 million in November 2007, and paid an undisclosed amount to settle a group of lawsuits brought against it by Massachusetts-based banks in December 2007.

Consumers also have continued to shop at TJX stores in high numbers, as the weakening economy and high gas prices have made the retailer's discounted brand sales popular. The retailer recently reported February sales, which totaled $1.3 billion, up 6% from the year-prior $1.2 billion.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |