[ISN] TJX offers deal to end data breach suit

From: InfoSec News (alerts@private)
Date: Mon Sep 24 2007 - 00:00:09 PDT


By Ross Kerber
Globe Staff  
September 22, 2007

TJX Cos. said that it reached a tentative settlement with customers who 
were victims of the largest security breach of personal data ever 
reported and that it would provide store vouchers to some people whose 
data were compromised and a three-day sale for all customers.

The deal in the class-action lawsuit, disclosed by TJX of Framingham 
late yesterday, still requires court approval and would not resolve 
claims TJX faces from banks that had to reissue many credit and debit 
cards compromised in the breach. TJX is the parent of popular stores 
such as TJ Maxx and Marshalls.

At least 45.7 million credit and debit card numbers were stolen from TJX 
by hackers who accessed the company's computer systems. TJX has said 
about 75 percent of the compromised cards were expired or had data in 
the magnetic strip masked.

The settlement offers shoppers more generous terms than TJX had 
previously provided and could resolve uncertainty facing the company 
over the intrusion, in which hackers were able to penetrate its computer 
systems for more than a year until the breach was detected in December.

"We deeply regret any inconvenience our customers may have experienced 
as a result of the criminal attack on our computer system," TJX chief 
executive Carol Meyrowitz said in a statement. "Importantly, we truly 
appreciate our customers' continued patronage. TJX has been working 
diligently to reach a settlement that offers a good resolution for our 

Attorneys for the consumers did not return messages yesterday evening. 
Archie C. Lamb Jr., the Birmingham, Ala., lawyer who is lead counsel for 
the banks in the case, said he hadn't yet been able to review the 
settlement to discuss it in detail.

Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego 
consumer group, said she frowns on discounts to settle breach lawsuits 
since they tend to drive up business and so "aren't an effective 
penalty." But she said TJX deserves credit for recognizing that breaches 
can cost customers many hours to take steps such as canceling credit 

Specifically TJX said it would offer store vouchers worth around $30 to 
certain customers who could show they lost time or money to deal with 
the breach, valuing their time at $10 per hour. TJX also said it will 
hold a three-day "customer appreciation" sale featuring 15 percent 
discounts in its stores in the United States and Canada.

Also, TJX previously had offered one year of credit monitoring and 
identity theft insurance to customers whose Social Security numbers were 
believed stolen. The tentative deal would also offer three years of 
credit monitoring and several years of identity theft insurance to about 
455,000 customers who had returned merchandise to TJX without receipts, 
making them more vulnerable to the breach. In addition, TJX now will 
offer reimbursements to people who had to replace compromised driver's 

TJX did not disclose the exact cost of the proposed settlement but said 
it was within the parameters of its previous estimates, which put total 
costs at $256 million.

TJX said the settlement would cover all customer class-action suits in 
the United States, Puerto Rico, and Canada with respect to the 
intrusions. A consolidated suit in US District Court in Boston had 
accused TJX of negligence, breach of contract, and other violations in 
connection with its security practices.

In its statement TJX said it denies the claims and allegations, but it 
"has concluded that further legal activity would be time consuming and 
expensive, making it desirable that the actions be settled."

TJX spokeswoman Sherry Lang said the company doesn't expect a court 
ruling on the settlement until the spring.

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Mon Sep 24 2007 - 00:29:35 PDT