TJX Companies Agrees To A Settlement With MasterCard

The financial consequences for TJX Companies after its data breach still keep mounting. Recently, CNN Money reported:

"Discount retailer TJX Cos. could pay as much as $24 million in a settlement Wednesday with MasterCard Inc. over a massive breach that exposed tens of millions of payment card numbers to hackers... The TJX agreement, which follows a similar $40.9 million pact in November with Visa Inc., hinges on banks that issue MasterCards agreeing to waive rights to sue TJX in exchange for being paid for breach-related costs.

It isn't over for TJX/TJ Maxx:

"Issuers of at least 90% of the MasterCard accounts identified as possibly being compromised in the breach must approve the agreement by May 2 for the settlement to take effect, Purchase, N.Y.-based MasterCard and Framingham, Mass.-based TJX said in separate news releases."

This should be a clear reminder to other retailers: adequately protect the personal data you collect about consumers!

TJX Creates New Executive Position For Privacy

The Boston Globe newspaper reported that TJX, the parent company of TJ Maxx and Marshalls retail stores, has created a new senior executive position for consumers' data privacy. Apparently, TJX has:

"... given the title of "chief privacy officer" to one of its senior executives and is looking to fill the position of "privacy director," according to a memo circulated by its search firm, Heidrick & Struggles. TJX spokeswoman Sherry Lang declined to provide more details yesterday except to note that senior executive vice president for administration and business development Jeffrey Naylor also gained the title of chief privacy officer within the past year."

TJX is recently known for its massive data breach where identity thieves stole millions of consumer credit cards and sensitive data facilitated by lax data security measures by the company. Want to learn more about the TJX data breach debacle? Click on "TJX / TJ Maxx" in the topic section in the column on the right.

File this organizational move under the "too little way too late" category.

TJX Settles With New England Banks

According to the Boston Globe newspaper, TJX Companies has agreed with several New England banks to:

"... settle a high-profile lawsuit over payment card security practices in the wake of the record-setting data breach at the Framingham retailer that compromised up to 100 million accounts. TJX, the parent of discount retail chains including TJ Maxx and Marshalls, will pay community banks and trade groups in Massachusetts, Connecticut, and Maine a portion of their legal expenses."

Terms of the settlement were disclosed, but the newspaper added:

"...the deal won't add to the $256 million TJX previously had budgeted to deal with the breach, a spokeswoman said yesterday."

The TJX debacle is far from over:

"TJX still faces claims from an Alabama bank and probes by federal and state officials. Mary Monahan, partner at Javelin Strategy & Research in California, said the deal is a relative win for TJX and no surprise after a decision by a federal district court judge made it harder for the banks to join together to sue TJX as a lass."

If you follow this saga closely, you'll notice that TJX has given cash to everyone except to those that matter most... its customers. TJX has paid off Visa, its lawyers, and now some of the banks -- all with cash. TJX offered checks to a few customers, but most received vouchers to shop at the store. This is not a customer-friendly response to the victims of the TJX data breach, regardless of how appealing its holiday TV commercials might be.

Want to learn more? Read the TJX section of this blog and BusinessWeek. Me? I'm off to Target and Best Buy to finish my holiday shopping.

TJX Settles Visa Suit About Data Breach

According to Consumer Affairs:

""TJX Companies Inc., the corporate parent of retail chains T.J. Maxx and Marshalls, has reportedly agreed to a $41 million settlement with Visa in connection with a massive data security breach."

You can read more about this at Reuters, the Boston Globe, and CNN Money. According to CNN:

"In return, Visa will suspend and rescind a portion of the data breach fines it levied on the retailer's U.S. acquirer that remain eligible for appeal. At least 80 percent of the eligible Visa issuers must accept by Dec. 19 for the settlement to finalize."

You may remember, the TJX breach happened in 2006 (some say 2005) and wasn't reported until the end of 2006. First, some 45 million records were stolen, but the number was increased to about 90 million records. According to the news report, the credit-card-issuer companies incurred about $65 to $80 million in expenses to replace the stolen consumers' credit cards. Obviously, the card issuers want to be reimbursed by TJX for those expenses since TJX was lax about its data security. If the banks and card issuers have to absorb this expense, then everyone else will effectively pay for TJX's lax data security through higher credit card fees and rates.

Data Security Gaps At Retail Stores Where you Shop

This past Sunday evening, the 60 Minutes television show presented an excellent segment on identity theft, titled "Hi-Tech Heist." The segment explained the poor data security use by many of the retail stores and chains we shop at. More importantly, the segment showed how identity thieves steal consumers' credit card (and debit card) data via the retail stores' wireless data connections:

"When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls."

The segment did a good job explaining how identity thieves steal data:

"[60 Minutes Correspondent] Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data."

When retail stores use unsecure or poorly protected wireless connections, stealing data is easier than you think:

"We can just pluck it, is what you're saying, right through the wall," Stahl remarked. "Absolutely," Harms replied. All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results. "Right now, we're right in front of Best Buy," Stahl remarked. "Right so, Best Buy has a wireless network," Harms explained. The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.

What I found most irritating was the segment reported that many retail stores still refuse to invest in effective and current data security methods, while being fully aware of the TJX/TJ Maxx data breach debacle. In an attempt to cut costs and save money, retail companies still install and use obsolete encryption methods for their wireless transmission of your (and mine) credit card information:

"WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes. Now, there's much better encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded."

More about TJX / TJ Maxx:

"At the time of its break-in in 2005, TJX did have a security system. The problem was it was the outdated encryption code WEP. "Was TJX aware that they were using a system that was pretty much useless? Did they know that?" Stahl asks Jennifer Stoddart...  TJX did know, but in a letter told 60 Minutes - in their defense, that they believe 'our security was comparable to many major retailers.' "

So, the retail chain with the largest data breach in USA history admits that their wireless security was no better (or worse) than other retailers! That's pretty damning evidence about the retail industry, which seem more interested in making money that providing secure transactions for consumers.

To me, this is a clear reminder that you should never use a debit card at a retail store. It's best to shop with cash until retailers improve their data security. If you haven't seen this 60 Minutes show, you can watch the 60 Minutes video online.

TJX Violated 9 Of 12 Data Security Standards

According to a recent ComputerWorld article:

"New documents filed in a Boston federal court Thursday by banks suing The TJX Companies Inc. over its data breach claim that the Framingham, Mass.-based retailer had not complied with nine of the 12 security controls mandated by the Payment Card Industry (PCI) data security standards when the breach occurred."

Some of the reported problems:

"... a failure to properly configure its wireless network, a failure to segment networks carrying cardholder data from the rest of TJX's network and the storage of prohibited data. A forensics expert hired by the company to probe the incident, which exposed data on some 94 million accounts, also identified other deficiencies such as improper patching practices and a failure to maintain adequate logs."

If there's one thing I've learned, I now pay attention to news reports about data breaches at retail stores. If the retailer has a poor data security record, I won't shop there. Why? Simply, I can't trust them to protect my personal data. On the rare chance that I temporarily go insane and shop at a retailer with a spotty data security record, I'll pay for my purchases with cash.

Double Trouble For TJX

From the Boston Globe newspaper:

"More than 94 million accounts were affected in the theft of personal data from TJX Cos., a banking group alleged in court filings, more than twice as many accounts as the Framingham retailer has said were affected in what was already the largest data breach in history."

This massive data breach affected about 65 million Visa credit card holders and about 29 million MasterCardcredit card holders. The banks had sued TJX to recover the costs incurred from replacing their credit card customers accounts with new cards and account numbers.

"A Visa official also put fraud losses to banks and other institutions that issued the cards at between $68 million and $83 million on Visa accounts alone..."

I have absolutely no sympathy for TJX. When a retailer accepts payments from customers using sensitive personal data (e.g., credit card numbers, checking account numbers, etc.), it is the retailer's responsibility to protect that personal data... especially since they are making money from the consumers' purchases. If the retailer wants the benefits, then the retailer must also accept the risks and the responsibility. It is not right to pass the cost (and the responsibility) to banks when they re-issue credit card numbers.

Consumers expect the retailer to employ adequate and updated data security measures. Consumers expect the retailer to notify them promptly of any and all data breaches, regardless of whether the states' laws specify notification.

If a retailer can't protect consumers' sensitive data, then don't accept it. It's really that simple. Want to learn more? Read my archive of TJX posts.

Some TJX Customers Receive Checks

From the Thursday October 11, 2007 Boston Globe:

"Some TJX Cos. customers whose credit card information was stolen from the Framingham retailer could get $15 checks as part of a revised settlement agreement proposed in federal court yesterday. TJX, the parent of stores including TJ Maxx and Marshalls, struck the new deal with plaintiff attorneys after a federal judge questioned an earlier agreement between the two sides last month."

Why the deal was revised (and should have been revised):

"Previously TJX had offered to give $30 store vouchers to certain customers who had lost time or money as a result of the loss of the data, valuing their time at $10 an hour. Consumer advocates said the vouchers wouldn't effectively penalize TJX, because the vouchers could be used only in company stores. Under the new terms, TJX will still offer the vouchers, but would give customers the option of getting a check instead."

Vouchers are worthless for identity theft victims who have lost trust in TJX companies and don't want to shop there. And there has to be a consequence when a company suffers a data breach and is slow to acknowledge and fix the breach.

Is a $15 check enough? No, but some cash is a step in the correct direction.

More Analysis of TJX's Offer To Its ID-Theft Victims

The Truston Identity Theft blog has an interesting analysis of TJX's actions. The post covers two important points. The first is what I call "yield:" the number of ID-theft victims that opt-in for a company's free credit monitoring offer:

"They (TJX) offer credit monitoring to just 10% of the total breach number (455,000) and then announce a retail sale at the same time. If they require the victims to opt-in and order the monitoring to get it, then they will likely only have to pay for around 20–30% of the 455,000 they are offering it to. That’s a rule of thumb in the industry for the typical number of people that opt-in for free victim support for credit monitoring. So, 45 million accounts are breached and maybe TJ Maxx ends up paying for services for 90,000–135,000 people."

Wow! What a slick move to minimize responsibility. In my opinion, total sleaze.

Now the second point: synthetic ID-theft. This is when the identity thief mixes one person's SS# with another person's name in an attempt to evade detection. The Truston blog references Ed Dickson's Fraud, Phishing, and Financial Misdeeds blog:

"One thing that concerns me is that the settlement offer states that one of the requirements to receive compensation will be that the identification number compromised has to match their Social Security number. I guess that TJX and their affiliates don't want to address the rising phenomenon of synthetic identity theft? When synthetic identity theft is committed different parts of a persons identity are crafted to create a new one."

Ed also provides some good background on the shady world of re-selling personal data:

"In the identity theft world -- which is what the concern about this data breach is all about, when a SSN or SIN (in Canada) is compromised -- the criminal compromising the information has all the information necessary to complete a full identity assumption. In the dark world of Internet forums that sell this information, a complete identity (SSN, or SIN included) is often referred to as a "full." The complete information on a person is simply worth a little more money to the criminals purchasing it."

Lovely, eh?

Canadian Officials Criticize TJX's Data Security

More about TJX from yesterday's Daily Business Update:

"Retailer TJX Cos. failed to put in place adequate security safeguards to protect customer information, the privacy commissioner of Canada said today."

TJX operates the Winners and HomeSense retail chains in Canada. The news article explained further:

"A joint investigation by Canada's commissioner of privacy and Alberta's privacy commissioner was launched after TJX, the Framingham-based operator of such chains as T.J. Maxx and Marshalls, disclosed in January that its computer system had been breached, resulting in the theft of millions of credit card and debit card numbers..."

Perhaps most importantly:

"The company collected too much personal information, kept it too long, and relied on a weak encryption technology to protect it - putting the privacy of millions of customers at risk..."

Do you still want to shop at Marshalls, HomeGoods, and/or TJ Maxx? First, read this background about TJX's out-of-court settlement. Then, read a January 2007 TJX press release about how TJX was improving its data security:

"[TJX] immediately engaged General Dynamics Corporation and IBM Corporation, two leading computer security and incident response firms. TJX has been working aggressively with these firms to monitor and evaluate the intrusion, assess possible data compromise, and seek to identify affected information. These firms have assisted TJX in further securing its computer systems and implementing security upgrades."

Yep! That's the same IBM that suffered its own data breach in February 2007 and lost an undisclosed number of records with sensitive personal data about its employees and former employees.

Last, the N.H. Department of Justice web site posts copies of all data breach notification letters it receives. I checked the site this morning and noticed that TJX hadn't updated their January breach notification letter, portions of which contain old and obsolete information.

TJX's Offer To Its ID-Theft Victims Deserves Scrutiny

At the Javelin Strategy blog, Mary Monahan analyzes TJX's announcement and settlement offer to its ID-theft victims:

"Late Friday night, after sundown on Yom Kippur to be exact, TJX made the announcement of the settlement agreement for their customer class action suits. In retail delivery, timing is critical and TJX has taken that message to heart. Tired of the constant negative PR, TJX decided to slip this announcement in at a time when it would get the least notice and press play."

I really like this part:

"... TJX has come to a settlement: three years of credit monitoring to those consumers whose personal information such as driver’s licenses and Social Security numbers were stolen in the breach (455,000) and a $30 TJX voucher for those clients who can show that they lost time and money due to its data breach (e.g., those whose credit card numbers were breached, namely, 45.7 million consumers), and $6.5 million to the attorneys."

Three years of free credit monitoring is a solid step in the right direction, and a longer period than most other companies' credit monitoring offer. More importantly, Monahan does an excellent job of shining a spotlight on TJX's marketing:

"A voucher to get millions of customers into its stores to shop. How neat and clean for TJX. And with a voucher, either money is left on the table, or consumers end up spending more money in the store to realize the full value of the certificate. Some lucky consumers will even get two vouchers if they can prove their costs exceed $60."

A voucher is good only if you plan to shop at a TJX brand store. If you are one of the thousands of former TJX customers who vow to never shop at a TJX-brand retail store again, the voucher is worthless. It's like giving somebody the sleeves off a vest. This is not responsible corporate citizenship. If TJX is going to pay its ID-theft victims, then pay them! Cash is always good. And if they can pay the lawyers in cash, they can pay their customers in cash, too.

The Javelin Strategy blog adds:

Vouchers to clear up lawsuits are frowned upon by consumer rights advocates because they can drive up sales; even while class action attorneys accept them eagerly because they pocket larger fees as a result. Note that attorney fees are not paid in vouchers; if they were, we’d quickly see an end to this settlement practice... this is a merchandising company who knows how to milk a data breach for every sales dollar."

I strongly encourage you to read the complete Javelin Strategy blog post... and boycott TJX brand stores. I already do. Here's the list of retail stores owned by the TJX:

• A.J. Wright
• Bob's Stores
• HomeGoods
• HomeSense (Canada)
• Marshalls
• TJ Maxx
• TK Maxx
• Winners (Canada)

To learn more, also read the TJX Settlement Agreement online and read this prior TJX post.

TJX Settles Out Of Court On Data Breach Lawsuit

From the September 21 Boston Globe newspaper:

"[Reuters - September 21, 2007] NEW YORK --TJX Cos Inc said Friday it and Fifth Third Bancorp had agreed to settle class action lawsuits brought on behalf of customers in the United States, Puerto Rico and Canada who were victims of a criminal intrusion into TJX's computer system."

This news story also made headlines in Canada. What I found most important in this news article:

"Under the settlement, which is subject to certain conditions, TJX customers who had their drivers license or other identification information stolen after making returns without a receipt, are being offered two to three years of credit monitoring and identity theft insurance and the cost of replacing IDs. Other affected customers are to receive vouchers, the company said."

Note: TJX offered its identity-theft victims 2 to 3 years of credit monitoring, not one year as IBM offered in response to IBM's data breach.