TJX Settles With Feds

No Fines, But 20 Years of Audits Result from Data Breach
TJX Settles With Feds
Related Story:Reaction to TJX Settlement: "A Very Light Slap on the Wrist"
The Federal Trade Commission has settled with discount retailer TJX, citing the retailer failed to provide "reasonable and appropriate security for sensitive consumer information."

While no fines were levied, the FTC will require the retailer to implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years. The Framingham, MA-based company's 2,500 stores include the T.J. Maxx and Marshalls chains.

Last January, TJX revealed its computer servers had been hacked, and more than 45 million customer records were breached. (See: TJX Settlement)

Data broker Reed Elsevier PLC and its Seisint subsidiary also were cited for the same security failures and face the same punishment. (See FTC press release: Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers' Data)

This is the second settlement TJX has made as a result of the largest consumer breach in history. The first settlement, with VISA, came last November and cost the retailer $40 million. (See TJX, Visa Agree to $40.9 Million Payout for Data Breach).

"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," says FTC Chairman Deborah Platt Majoras in the FTC statement. The TJX settlement is the 20th case where the FTC has used its regulatory muscle to rein in security-deficient companies that don't protect sensitive consumer information.

Findings The FTC charges TJX failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks.

The FTC's investigation shows an intruder exploited these failures and obtained tens of millions of credit and debit payment cards that consumers used at TJX's stores, as well as the personal information of approximately 455,000 consumers who returned merchandise to the stores.

Banks and credit unions say millions in fraudulent charges were made on the breached cards, and the institutions were forced as a result of the breach to cancel or reissue millions of cards. A class action suit by state banking associations on behalf of banks ended in banks recouping some of the loss in part of TJX's settlement with VISA.

The FTC charges that TJX:

  • Created an unnecessary risk to personal information by storing it on, and transmitting it between and within, its various computer networks in clear text;
  • Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
  • Did not require network administrators and others to use strong passwords or to use different passwords to access different programs, computers, and networks;
  • Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
  • Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software.

The settlement with TJX requires it to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from or about consumers. The auditors will be required to certify that the companies' security programs meet or exceed the requirements of the settlement.

The FTC coordinated its investigation of TJX with 39 state Attorneys General, led by the office of the Massachusetts Attorney General.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network