Discount retailer TJX Cos. could pay as much as $24 million in a settlement Wednesday with MasterCard Inc. over a massive breach that exposed tens of millions of payment card numbers to hackers.
The pact came as a group that tracks U.S. data breaches reported the number of cases in the first three months of this year was more than double the total in last year's first quarter.
The MasterCard agreement, which follows a similar $40.9 million pact in November with Visa Inc., hinges on banks that issue MasterCards agreeing to waive rights to sue TJX in exchange for being paid for breach-related costs.
Issuers of at least 90 percent of the MasterCard accounts identified as possibly being compromised in the breach must approve the agreement by May 2 for the settlement to take effect, Purchase, N.Y.-based MasterCard and Framingham, Mass.-based TJX said in separate news releases.
In the Visa agreement, TJX won consent from more than 95 percent of Visa issuers within three weeks after the deal was announced Nov. 30. That agreement required 80 percent approval, rather than the MasterCard agreement's 90 percent threshold.
TJX President and Chief Executive Carol Meyrowitz said her company believes the latest agreement "provides a fair resolution for MasterCard and its issuing banks."
Joshua Peirez, chief payment system integrity officer for the nation's second-largest card network behind Visa, said the agreement "reflects MasterCard's continuing commitment to working with merchants and our customers to reach appropriate and fair resolutions of data breach events."
The $24 million is the maximum TJX would pay card-issuing banks to recover breach-related expenses. Such expenses include replacing customers' cards — a security precaution that typically costs around $20 per card — and covering fraudulent expenses.
TJX disclosed the data heist in January 2007. The owner of more than 2,500 stores including T.J. Maxx and Marshalls said a couple months later that at least 45.7 million credit and debit cards were exposed to possible fraud in a computer systems breach that began in July 2005. The breach wasn't detected until December 2006.
Court filings last fall by banks that sued TJX put the number of affected cards at more than 100 million, based on estimates by officials with Visa and MasterCard, who were deposed in the lawsuit. It's believed to be the largest breach ever, based on the number of customer records involved.
TJX and nearly all the banks and bank associations that sued over the breach settled the lawsuit in December for an undisclosed amount. Alabama-based Amerifirst Bank declined to settle and is continuing to pursue litigation. A lawsuit brought by consumers led to a settlement that a judge is scheduled to consider approving on July 15.
Last week, TJX agreed to a settlement with the Federal Trade Commission under which the company agreed to submit to an independent security audit every other year for 20 years.
TJX said the costs of Wednesday's settlement are already covered by a financial reserve the company created for its last fiscal year to cover breach expenses. The company said in a regulatory filing last week that it recorded a total $197 million in breach-related pretax charges against last year's earnings. As of Jan. 26, the reserve balance stood at $117 million, an amount that included the cost from the Visa settlement.
Shares of TJX rose 35 cents, or 1 percent, to $34.35 in afternoon trading, and shares of MasterCard fell $5.57, more than 2 percent, to $224.03.
There were 167 breaches in the U.S. in the first three months of 2008, up from 76 in the first quarter of last year, the San Diego-based Identity Theft Resource Center announced Wednesday.
Breaches disclosed so far this year have potentially affected 8 million people, said the nonprofit group, which counts breaches reported in news media and other sources that it considers reliable.
This year's biggest breach so far occurred at Hannaford Bros. Co., a Maine-based supermarket chain that said last month that hackers had exposed more than 4 million credit and debit card numbers in a breach that led to at least 1,800 cases of fraud. The breach affected Hannaford stores in the Northeast and Sweetbay stores in Florida that are owned by Delhaize America.