FRAMINGHAM, Mass. (6/25/09)--TJX Cos. has agreed to pay $9.75 million in a settlement regarding a data breach announced in January 2007 that compromised many credit union members’ credit and debit cards. At least 45.6 million card numbers were compromised, and card companies such as Visa and MasterCard estimate that as many as 94 million cards were exposed (News Now
Jan. 22, 2008). Credit unions nationwide incurred significant costs when they replaced members’ cards whose account numbers were exposed. Framingham, Mass.-based TJX announced the settlement Tuesday. The retailer settled with a multi-state group of 41 attorneys general to resolve the states’ investigations related to a criminal intrusion into TJX’s computer system. Under the settlement, TJX has agreed to:
* Provide $2.5 million to establish a new data security fund for use by the states to advance effective data security and technology; * Provide a settlement of $5.5 million together with $1.75 million to cover expenses related to the states’ investigations; * Certify that TJX’s computer system meets detailed data security requirements specified by the states; and * Encourage the development of new technologies to address systemic vulnerabilities in the U.S. payment card system.
Eleven indictments were announced in connection to the breach on Aug. 5, 2008. Two of the indicted criminals have since pleaded guilty, and two have pleaded guilty to related charges, TJX said in a release.