CONSUMER NEWS RECALLS COMPLAINT FORM SCAM ALERTS

Small Claims Guide \| Class Actions \| Lemon Law \| FAQ \| Resources \| Newsletters \| Spanish
Automotive Education Electronics Family Finance Health Homeowners Shopping Travel

TJX Settles with FTC Over Data Breach

Nearly 100 million consumers may have been affected

By Martin H. Bosworth
ConsumerAffairs.com

April 1, 2008

TJX
• TJX To Pay Mastercard $24 Million For Data Breach
• TJX Settles with FTC Over Data Breach
• TJX Settles with Banks over Data Breach
• TJX Settles Visa Suit over Data Breach
• Attorneys General Oppose TJX Data Breach Settlement
• TJX Data Breach Victims Reach 94 Million
• TJX Data Breach Settlement Has Strings Attached
• Wireless Hackers Suspected In TJ Maxx Breach
• TJX Data Breach Called "Biggest Ever"
• Data From T.J. Maxx Breach Connected To Florida Fraud
• TJX Data Breach Bigger than Earlier Estimates
• Massachusetts, Rhode Island Open TJX Probes
• TJX Sued for Loss of Consumer Data
• Hackers Hit T.J.Maxx, Marshalls
• Congress Takes On Data Security
---
• TJX Customers: What To Do
• Consumer Complaints

The TJX company, parent to the TJ Maxx and Marshalls department store chains and the retailer responsible for one of the biggest data breaches in U.S. history, has agreed to a settlement of charges brought by the Federal Trade Commission (FTC) that it failed to use "reasonable and appropriate security for sensitive consumer information."

"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," said FTC Chairman Deborah Platt Majoras. "Information security is a priority for the FTC, as it should be for every business in America."

Under the terms of the settlement, Framingham, Massachusetts-based TJX must immediately upgrade and implement comprehensive security procedures, and must submit to audits by third-party security experts every other year for twenty years.

No fines or penalties were levied due to the agency's inability to do so under the FTC Act, according to agency spokespersons.

Trail of theft

The FTC complaint stemmed from the discovery that hackers using laptops enabled with wireless Internet connections were able to intercept data transmitted between hand-held payment scanners at TJX stores as the hackers drove by.

The hackers were able to obtain the credit and debit card numbers of millions of customers, with the final total estimated as high as 94 million according to Visa. Visa estimated it had suffered $65 to $83 million in financial losses stemming from fraud caused by the theft.

More than 455,000 customers who returned merchandise to TJX stores had their personal information stolen during the breach, which had been ongoing for at least ten months prior to its discovery in December 2006.

Data taken during the breach later turned up in a case of fraud in Florida, where a ring of thieves used the data to create "clone" credit cards, then purchased gift cards from Wal-Mart which they then loaded and used to purchase expensive consumer goods.

Among the charges levied against TJX by FTC, the agency claimed that the retailer "did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to in-store networks without authorization," and that it "failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by patching or updating anti-virus software or following up on security warnings and intrusion alerts."

Unscathed

Although the TJX data breach was thought to be a watershed moment for the issues of identity theft and data security in the U.S., the retailer itself has emerged from the scandal largely unscathed.

The company offered a settlement to customers affected by the data breach in September 2007, which largely consisted of a special three-day "customer appreciation sale" and extended offers of credit monitoring for affected individuals, as well as store vouchers for customers who could document they were harmed by the breach. Attorneys General of ten states voiced their opposition to the proposed settlement, saying it benefitted the retail chain more than the customers.

TJX later settled Visa's charges against it for $41 million in November 2007, and paid an undisclosed amount to settle a group of lawsuits brought against it by Massachusetts-based banks in December 2007.

Consumers also have continued to shop at TJX stores in high numbers, as the weakening economy and high gas prices have made the retailer's discounted brand sales popular. The retailer recently reported February sales, which totaled $1.3 billion, up 6% from the year-prior $1.2 billion.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

July 9 2008

Print, mail, etc.

FREE CONSUMER NEWSLETTERS

The Daily Consumer
Afternoons M-F
Sign up now!

Consumer News & Alerts
Every Sunday
Sign up now!

Knowledge is free.
Knowledge is power.

Back to the top |

Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice. ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof.