The TJX Companies, Inc., a discount retailer, said Friday it settled class action lawsuits in the United States, Canada and Puerto Rico stemming from a massive security breach of customer data that affected at least 45 million credit and debit cards.
The announcement did not specify the settlement, but noted that its estimated costs were included in a $107 million reserve included in its second-quarter report for fiscal 2008 and its estimate of $21 million in costs expected in fiscal 2009.
The company said it denied the allegations in the lawsuits. It concluded that more legal action would be time-consuming and expensive.
"We deeply regret any inconvenience our customers may have experienced as a result of the criminal attack on our computer system," TJX President and CEO Carol Meyrowitz said in a statement.
On Jan. 17, TJX disclosed a breach of its computer systems by an unknown hacker or hackers who accessed card data from transactions as long ago as late 2002. On March 28, TJX said at least 45.7 million of its shoppers' cards had been compromised. Independent organizations that track data thefts say the TJX case is believed to be the largest in the U.S. based on the number of customer records compromised.
TJX says about three-quarters of the 45.7 million cards had either expired by the time of the theft, or the stolen information didn't include security code data from the cards' magnetic stripes. However, TJX also has said the intruders could have tapped the unencrypted flow of information to card issuers as customers checked out with their credit cards.
The company and U.S. Secret Service are investigating. The only arrests so far have come in Florida, where 10 people who aren't believed to be the TJX hackers were charged with using stolen TJX customer data to buy Wal-Mart gift cards.
TJX operates 2,500 retail outlets, including T.J. Maxx, Marshalls, HomeGoods, A.J. Wright and Bob's Stores in the United States, Winners and HomeSense stores in Canada, and T.K. Maxx stores in Europe.