TJ Maxx owner TJX has agreed to pay nearly $10m to 41 US
states for adata breachthat enabled the theft of millions of
debit and credit card numbers.
But the retailer said in statement that the agreement is not an
admission that TJX violated any consumer protection or data
security laws.
"The decision to enter into this settlement reflects TJX's
desire to concentrate on its core business without distraction and
promote cyber security measures that will benefit all consumers,"
the statement said.
The retailer has also agreed to boost security measures to
ensure that what is thought to be the biggest identify theft ever
reported does not happen again.
The agreement comes more than two years after hackers broke into
TJX's wireless network to steal the credit and debit card details
of customers.
TJX said the attack was carried out despite the company's
computer security being "as good as or better than most other major
US retailers."
Since the data breach was disclosed, TJX has paid millions in
compensation to customers whose details were stolen and to banks
that were defrauded as a result.
Jeffrey Naylor, chief financial officer at TJX, said the
settlement with the state attorneys general furthers the company's
goal of enhancing customer protection.
Both parties, he said, have agreed to take the lead in exploring
new technologies and approaches to solving the systematic problems
in the US payment card industry.
TJX will provide $2.5m to establish a data security fund to
advance effective data and security and a settlement amount of
$5.5m with $1.75m to cover the cost of investigating the
incident.
In August 2008, US prosecutors
charged 11 people on three continents in connection with what
was widely considered at the time as the largest ever reported
identity theft.
Those charged include three US citizens, three Ukranians, two
Chinese, an Estonian and a Belo-Russian. So far only two have
pleaded guilty to the charges.