TJX to pay up to $24M in breach; Funds to cover MasterCard settlement.
Byline: Mark Jewell
BOSTON - Discount retailer TJX Cos. could pay as much as $24 million in a settlement yesterday with MasterCard Inc. over a massive breach that exposed tens of millions of payment card numbers to hackers.
The pact came as a group that tracks U.S. data breaches
The TJX agreement, which follows a similar $40.9 million pact in November with Visa Inc., hinges on banks that issue MasterCards agreeing to waive rights to sue TJX in exchange for being paid for breach-related costs.
Issuers of at least 90 percent of the MasterCard accounts identified as possibly being compromised in the breach must approve the agreement by May 2 for the settlement to take effect, Purchase, N.Y.-based MasterCard and Framingham-based TJX said in separate news releases.
In the Visa agreement, TJX won consent from more than 95 percent of Visa issuers within three weeks after the deal was announced Nov. 30. That agreement required 80 percent approval, rather than the MasterCard agreement's 90 percent threshold.
TJX President and Chief Executive Carol Meyrowitz said her company believes the latest agreement "provides a fair resolution for MasterCard and its issuing banks."
Joshua Peirez, chief payment system integrity officer for the nation's second-largest card network behind Visa, said the agreement "reflects MasterCard's continuing commitment to working with merchants and our customers to reach appropriate and fair resolutions of data breach events."
The $24 million is the maximum TJX would pay banks to recover breach-related expenses. Such expenses include replacing customers' cards - a security precaution that typically costs around $20 per card - and covering fraudulent expenses.
TJX disclosed the data heist in January 2007. The owner of more than 2,500 stores including T.J. Maxx and Marshalls said a couple months later that at least 45.7 million credit and debit cards were exposed to possible fraud in a computer systems breach that began in July 2005. The breach wasn't detected until December 2006.
Court filings last fall by banks that sued TJX put the number of affected cards at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the lawsuit. It's believed to be the largest breach ever, based on the number of customer records involved.
TJX and nearly all the banks and bank associations that sued over the breach settled the lawsuit in December for an undisclosed amount. Alabama-based Amerifirst Bank declined to settle and is continuing to pursue litigation. A lawsuit brought by consumers led to a settlement that a judge is scheduled to consider approving on July 15.
Last week, TJX agreed to a settlement with the Federal Trade Commission under which the company agreed to submit to an independent security audit every other year for 20 years.
TJX said the costs of yesterday's settlement are already covered by a financial reserve the company created to cover breach expenses. The company said in a regulatory filing last week that it recorded a total $197 million in breach-related pretax charges against last year's earnings. As of Jan. 26, the reserve balance stood at $117 million, an amount that included the cost from the Visa settlement.
Shares of TJX rose 40 cents, or 1.2 percent, to $34.44, and shares of MasterCard fell $5.85, or 2.6 percent, to $223.75.
There were 167 breaches in the U.S. in the first three months of 2008, up from 76 in last year's first quarter, the San Diego-based Identity Theft Resource Center announced yesterday.
Breaches disclosed so far this year have potentially affected 8 million people, said the nonprofit group, which counts breaches reported in news media and other sources that it considers reliable.
This year's biggest breach so far occurred at Hannaford Bros. Co., a Maine-based supermarket chain that said last month that hackers had exposed more than 4 million credit and debit card numbers in a breach that led to at least 1,800 cases of fraud. The breach affected Hannaford stores in the Northeast and Sweetbay stores in Florida that are owned by Delhaize America.
Last year, the Identity Theft Resource Center counted 446 breaches, up 43 percent from 2006.
Email this Article
Digg It
del.icio.usRelated Articles
- New Bill to tackle those phishing for IT fraud.
- Disclosure of data security breaches.
- Coakley not excited about TJX's plan for repayment; Officials say sale would help store, not data breach victims.
- COPS CHASE HIGH-TECH ID THIEVES.
- Coakley leads TJX charge; 30 states look to join probe.
- Leveraging the "Perfect Storm" of convergence.
- Lawsuit filed against TJX; Company director resigns.
- Preparing your company for a data breach.
- It's payback time for identity thief.
- National Resource Center for Safe Aging: www.safeaging.org.
- BRIEFLY.
- Cos rush to sign up Skills Registry.
- Taking the bait.
- Identity theft prevention. (New Products).
- Identity thieves: let's catch them if we can: nearly 10 million Americans had their identity stolen in the last year, making it the fastest growing white-collar crime.