TJX reaches settlement with states on data theft

June 23, 2009

(AP) -- Discount retailer TJX Cos. said Tuesday it has reached a settlement with multiple states related to a massive data theft that occurred at the parent company of retailers T.J. Maxx and Marshall's a few years ago.

The Framingham, Mass.-based company said it will pay $2.5 million to create a data security fund for states as well as a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states' investigations. But TJX stressed that it "firmly believes" that it did not violate any consumer protection or data security laws.

"The decision to enter into this settlement reflects TJX's desire to concentrate on its core business without distraction and to promote cyber security measures that will benefit all consumers," the company stated.

TJX said the settlement's costs are already accounted for in a 2007 reserve it created.

The breach, which was disclosed in January 2007, exposed tens of millions of payment card numbers to hackers. TJX has said that at least 45.7 million credit and debit cards were exposed to possible fraud in the computer systems breach that began in July 2005. The breach wasn't detected until December 2006.

Under the settlement with a multi-state group of 41 Attorneys General, TJX must also certify that its computer system meets detailed data security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.

TJX runs 882 of its namesake stores, 811 Marshalls, 322 HomeGoods and 141 A.J. Wright stores in the U.S. It has 203 Winners, 75 HomeSense and 3 Stylesense stores in Canada and 242 T.K. Maxx and 8 HomeSense stores in Europe.

The company's stock fell 23 cents to $30.55 in afternoon trading.

©2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.