Meanwhile, TJX chairman Ben Cammarata has launched a media blitz to assure customers that the company is taking concrete steps to secure credit card data. The effort includes full-page ads that appeared in several New England newspapers over the weekend, and a video message from Cammarata on the TJX Web site. In that message, he said TJX has decided not to offer credit monitoring for affected customers.
"Based on the type of data involved in the breach of our systems, we don't believe that such monitoring will be meaningful to customers," Cammarata said in the video.
In the newspaper ads, he said delaying an announcement on the breach allowed the company to secure its systems and prevent an expanded breach.
"By delaying a public announcement, with the help of top computer security experts, we were able to contain the problem and further strengthen our computer network to prevent further intrusion," Cammarata said in the ad. "Therefore, we believe that we were acting in the best interest of our customers."
West Virginia resident Paula G. Mace, whose credit card information was reportedly stolen in the breach, does not agree. According to The Boston Globe, a class action lawsuit was filed on her behalf in US District Court in Boston Monday, accusing the retailer of negligence for not doing enough to secure customer data and for keeping quiet about the breach for a month.
"Because of TJX's actions, hundreds of thousands or even millions of its customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages," according to the lawsuit.
The lawsuit seeks credit monitoring services and any damages incurred by affected customers.
TJX disclosed the breach earlier this month, saying an attacker exploited a flaw in a portion of its computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The intrusion may involve customers of its T.K. Maxx stores in the U.K. and Ireland and could also extend to TJX's Bob's Stores in the U.S., the company said. The discovery was made in December, but the retailer said investigators asked to delay an immediate announcement of the breach during the initial part of the investigation.
Last week, the Massachusetts Bankers Association said several of its member banks reported fraudulent transactions associated with the TJX data breach.
The stolen data was used to make purchases in Florida, Georgia and Louisiana as well as Hong Kong and Sweden, the trade group said. In addition, credit card issuers have contacted 60 banks about compromised cards, the bankers association said.