BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Security

Security threats Toolkit

TJX offers £20m settlement over breach

Tags:
Accounts,
Stores,
Payment,
Recovery

Tom Espiner ZDNet.co.uk

Published: 03 Dec 2007 15:22 GMT

The parent company of TK Maxx in the UK has offered to settle with banks for $40.9m (£19.8m) over the world's largest commercial security breach.

The settlement agreement, which needs to be accepted by 80 percent of Visa issuers to become effective, would guarantee up to a maximum of $40.9m (£20m)pre-tax in "alternative recovery payments", TJX said in a statement.

"We believe this settlement agreement provides a fair resolution of these issues, and look forward to a high issuer acceptance of the proposal," said Carol Meyrowitz, president and chief executive officer of TJX Companies in a Friday statement. "At TJX, we have learned a great deal about the risks of cyberattacks and have responded aggressively to take our own security to even higher levels."

Each accepting bank will waive certain rights to any other asset recovery from TJX "through litigation or otherwise", according to the statement. Visa will suspend and rescind certain fines imposed on the retailer, while TJX will pilot new payment card security technology and "serve as a spokesperson in support of the goals of the Payment Card Industry — Data Security Standards[PCI-DSS]". These standards govern how data is kept secure during transaction processes.

VIDEO

Dialogue Box 7.4: The expanding digital universe

How much data will be created and stored in 50 years' time? Rupert and Charles make some extrapolations and come to a startling conclusion

View full video

Visa found TJX to be in PCI-DSS in January, after TJX admitted its systems had been hacked.

TJX admitted in March that 45.7 million customer accounts had been compromised in attacks over two years. Investigators claimed the breaches came as a result of TJX's Wi-Fi network being sniffed and the WEP encryption protocol used by TJX being broken. However, a group of plaintiff banks claimed as part of a lawsuit in October that as many as 96 million credit-card details had been lost.

TJX stated in an SEC filing in July that cyberthieves first accessed its computer systems in July 2005 and installed software to harvest sensitive customer information such as account information, names and addresses, driver's licence numbers and military and state identification. The breach continued until mid-January 2007.

Affected accounts included those involved in credit and debit card transactions, as well as cheques and returned merchandise without receipts at the company's Marshalls, TJ Maxx, HomeGoods and AJ Wright stores in the US and Puerto Rico. Credit-card transactions at TJX's Winners and HomeSense stores in Canada, as well as credit and debit card transactions at its TK Maxx stores in Ireland and the UK, were also compromised.

HMRC fiasco: Security experts predict fallout

A national ID ecosystem undermined for two generations, a rash of phishing scams and a credit crisis have been forecast by experts [23 Nov 2007]

The worst IT security incidents of 2007

The year may not be over yet, but it will be hard to beat the major blunders on this list when it comes to security [14 Nov 2007]

Damage to corporate brand worries IT managers

A recent survey has found that potential harm to their firm's image now competes with natural and manmade disasters as a major concern for IT managers [17 Oct 2007]

Privacy experts: TJX breach was 'foreseeable'

A report by Canadian privacy authorities has concluded that the retailer failed to put in place adequate security measures [26 Sep 2007]

Wi-Fi hack caused TK Maxx security breach

The biggest loss of credit-card data in history was brought about largely because of lax wireless LAN security, it has emerged [08 May 2007]

1 Talkback

TK Maxx 'should disclose hacking details'

Security specialists claim that the retailer should reveal how its systems were compromised so other companies can prevent similar attacks [30 Mar 2007]

2 Talkbacks

TK Maxx owner: 45.7m accounts were compromised

Filing with the SEC shows that the security breach of TJX's customer records was far larger than previously thought [30 Mar 2007]

TK Maxx owner criticised after security breach

Visa has claimed that TJX, parent company of UK retailer TK Maxx, was violating data-storage rules when a hacker broke in and stole customer details [30 Jan 2007]