Customers On T.J. Maxx Data Breach: Some Sue, Others Spend - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance

Customers On T.J. Maxx Data Breach: Some Sue, Others Spend

The latest sales figures are positive, but the retailer is facing a flood of lawsuits from store customers and financial institutions.

The costs and lawsuits continue to grow for TJX Companies -- parent of T.J. Maxx, Marshalls, and other retailers -- thanks to the now-infamous security breach to its IT systems, but the threat of identity theft and credit card fraud aren't enough to keep shoppers away.

The company Thursday reported a $20 million computer-intrusion-related charge for its third quarter, ended April 28. Sales were up about 6%, to $4.11 billion, from the same quarter a year ago.

Although the timing and extent of the intrusion into TJX's IT systems is in dispute, the company reported late last year that it suffered an unauthorized intrusion or intrusions into portions of its computer system that process and store information related to credit and debit card, check, and no-receipt merchandise return transactions. This admission that customer information was stolen from some stores dating back to 2003 has opened the floodgates to lawsuits from store customers afraid of identity theft and from financial institutions whose customer service costs have increased as a result of worried clients.

TJX claimed in a regulatory filing Thursday that it does not know "who took this action, whether there were one or more intruders involved, or whether there was one continuing intrusion or multiple, separate intrusions." The $20 million, or 0.5% of net sales for the quarter, TJX already has spent related to the intrusion has gone toward investigating and containing the computer intrusion, work to improve the company's computer security and systems, communicating with customers, and technical, legal, and other related costs, the company stated.

Costs are likely to increase quickly. Payment card issuers, such as Visa, have initiated Payment Card Industry security standard compliance claims against some of TJX's acquiring banks seeking reimbursement, according to TJX, for about $4 million in fraudulent payment card transactions. The transactions were made with counterfeit payment cards believed to have been created using payment card transaction information allegedly stolen during the TJX computer intrusion. PCI members also could issue fines against TJX for noncompliance with the PCI standards.

That's just scratching the surface, as TJX is facing class-action lawsuits from customers in state and federal courts in Alabama, California, Illinois, Massachusetts, Michigan, Ohio, and Puerto Rico, as well as in provincial Canadian courts in Alberta, British Columbia, Manitoba, Ontario, Quebec, and Saskatchewan. Additional class-action suits from financial institutions affected by the computer intrusion -- those issuing credit and debit cards used during the time of the intrusion -- have been filed against TJX in federal court in Massachusetts. All-told, nine lawsuits have been filed against TJX since April 17.

TJX claims that it doesn't know the extent of any fraudulent use of any of the payment card information believed stolen and that the company doesn't know the details of the ongoing law enforcement investigations into the crime. The company is aware, however, that law enforcement and 37 state attorneys general are looking into whether the computer intrusion violated any laws regarding consumer protection. The company has received subpoenas from 11 of these attorneys general.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2019 State of DevOps
2019 State of DevOps
DevOps is needed in today's business environment, where improved application security is essential and users demand more applications, services, and features fast. We sought to see where DevOps adoption and deployment stand, this report summarizes our survey findings. Find out what the survey revealed today.
Will AI and Machine Learning Break Cloud Architectures?
Lisa Morgan, Freelance Writer,  6/10/2019
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
Humans' Fascination with Artificial General Intelligence
Guest Commentary, Guest Commentary,  6/6/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll