The credit card details of more than 45 million TJX customers
were compromised in March when data thieves broke into insecure
computer systems and took the details. It is thought to be the
biggest data breach ever.
The company has now agreed to pay out $40.9 million to Visa
member banks in return for those banks agreeing "to release TJX and
its U.S. acquirers from legal and financial liability," according
to a statement from Visa and TJX.
TJX was criticised at the time of the breach for having lax data
security. Some of the information was obtained by simply hacking
into wireless networks used to transmit credit card details.
Visa's head of global risk management Ellen Richey said she
hoped that companies would spend more on improving security. "We
hope one outcome of this resolution is recognition that a greater
investment in security is good business," she said. "It's clear the
impact of a data compromise harms all payment system stakeholders –
merchants, banks and consumers alike."
Visa and TJX said that banks would receive more under this
scheme than under alternatives, and that they will have to agree
not to pursue other fund recovery schemes in order to accept this
one.
"It is expected that financial institutions will receive greater
reimbursement by opting into the TJX settlement than they would
have received under the traditional or ADCR programs," said the
statement.
The incident received worldwide attention and will have involved
some cards belonging to UK and Ireland customers because there were
breaches there. Anyone who shopped between January 2003 and June
2004 is at risk, the company said at the time.
The deal offered to Visa is not available to banks outside the
US, however.
TJX said at the time that 75% of the cards had expired or had
their numbers blacked out, but did admit that decryption software
programs might be able to fill in some of the blacked out
numbers.
