TJX Companies Inc., the corporate parent of retail chains T.J. Maxx and Marshalls, has reportedly agreed to a $41 million settlement with Visa in connection with a massive data security breach. The Associated Press reported the settlement Friday, without attribution.
The company announced earlier this year that it had been hit with an "unauthorized intrusion" that exposed customers' credit and debit card data to the hacker. The breach apparently occurred in mid 2006 but wasnt detected mid-December 2006.
The company claimed, at the time, it did not have a full estimate of the number of customers affected, or what the potential financial fallout might be.
The TJX breach promoted warnings by Visa to banks throughout Massachusetts, as well as a wave of reissues of ATM and debit cards to customers.
TJX faces suits by numerous banks and financial trade associations, who want to hold TJX liable for the costs of replacing the millions of credit and debit cards exposed as a result of the breach.
Although the TJX company's initial estimates were that 46 million customers may have been affected by the breach, internal court filings in the bank lawsuit showed the numbers closer to 94 million, with costs to card issuers such as Visa ranging from $65 to $80 million.
The hack itself involved the compromise of credit and debit card data from sales at TJX store chains in the U.S., Canada, and Puerto Rico through 2003, and again in the latter half of 2006.
At the time of the disclosure, TJX said it had identified "a limited number of credit card and debit card holders whose information was removed from its system," and was in the process of providing this information to credit card issuers.
TJX said it also informed the Justice Department and local law enforcement agencies, as well as contacting IBM and General Dynamics to assist it with improving its security procedures and preventing further breaches.
"We are deeply concerned about this event and the difficulties it may cause our customers," Ben Cammarata, chairman and acting CEO of TJX, said at the time. "We want to assure our customers that this issue has the highest priority."
Class Action Settlement
Earlier this month, the Attorneys General of ten states objected to a special "Customer Appreciation Sale" proposed as part of the class action settlement of the TJX data breach.
Massachusetts Attorney General Martha Coakley called the proposed three-day event "nothing more than a retail sale, which would primarily benefit the defendant, TJX Companies."
Coakley, writing on behalf of nine other state Attorneys General, petitioned U.S. District Court Judge William Young to reconsider the sale, or "at the very least, subject the Special Event to heightened scrutiny before approval."
Coakley argued that the sale would not offer any real benefit for members of the class-action suit, whether they were victims of fraud resulting from the breach or simply had their cards replaced.
Coakley, who was a victim of identity theft in an unrelated case last year, said that TJX should not abuse the public's good will "for a sale that enhances its bottom line, nor should the classs attorneys reap large fees for an unquantifiable and dubious benefit."
TJX proposed the settlement in September 2007 to ward off multiple class-action lawsuits against it for letting as many as 94 million customers be exposed to hackers in a data breach that occurred over several years. In addition to the three-day sale, TJX has offered store credit vouchers to victims of the breach who provide documentation to substantiate their claim.