Massachusetts Attorney General Martha Coakley Announces $10
Million Multi-State Settlement with T.J.X. Corporation
Statement June 23, 2009
Attorney General Martha Coakley:
Good afternoon. Massachusetts Attorney General Martha Coakley.
Today, Massachusetts and 40 other states involved in a multi-state investigation announce a settlement in
the matter of T.J.X., after a massive data breach that awoke the country to both the risks of, and the need
for, diligence about use of confidential and personal financial data for consumer transactions. This
settlement involves almost $10 million and conditions that we believe will both mitigate the damages
caused by the breach in the past and help make more secure such consumer transactions in the future.
By way of background, in January 2007, T.J.X., the Framingham, Massachusetts-based company that
owns popular retailers Marshalls, T.J. Maxx, and Home Goods, announced that they became aware of a
massive data breach affecting millions of consumers. Soon thereafter, Massachusetts assembled a task
force of over 40 attorneys general from across the country, and Massachusetts led an extensive
investigation into the breach and specifically into T.J.X.’s data security policies and the procedures that
were or weren’t in place when the breach occurred.
During the course of that investigation, we and the other states found that beginning in 2005, and
continuing through 2007, several individuals had accessed sensitive personal and financial information at
those T.J.X. stores. They accomplished this in two phases. First, from July through November of 2005,
the intruders exploited the wireless network of two Marshalls’ department stores in Miami, Florida, and
accessed unencrypted data and unprotected data relating to consumer transactions dating back to 2002,
information that those stores had kept on file. It is believed that more that 94 million debit and credit
cards were affected during this phase one of the breach.
Phase two was May through December of 2006. The intruders established a connection with the T.J.X.
payment card transaction processing server and installed what’s called a “sniffer;” that is, a device that
was able to pick up from wireless transactions the confidential information. And it captured that so-called
“Track-2” data, the data that’s contained on the magnetic strip on the back of a credit or debit card,
including the account numbers for those cards. We believe that this connection gave the intruders
unfettered access to millions of T.J.X. credit and debit card transactions between 2003 and 2006.
Once we had learned this we continued to investigate T.J.X.’s data security policies and procedures in
place, when the breach occurred. And, of course, our investigation did not include the criminal
investigation. There was a parallel, and ongoing, federal investigation as to that.
Our investigation on the civil side uncovered a number of vulnerabilities and flaws in the T.J.X. data
security system that both: first, facilitated that unlawful intrusion; and secondly, and perhaps even more
importantly, permitted the intrusion to last undetected for a completely unacceptable duration of time.
Today’s settlement both reflects and incorporates the lessons that we learned from this data breach. It
requires T.J.X. to implement an information security program designed to guard against future intrusions
or unauthorized disclosures. This settlement’s relief in that regard is the most comprehensive settlement
achieved to date following a data breach investigation. This settlement requires T.J.X. to implement a
wide-ranging number of enhancements to its data security processes. It ensures, we believe, that T.J.X.
will employ a comprehensive information security program that assesses the internal and external risk to
consumers’ personal information. It implements safeguards that will best protect consumer information,
and regularly monitors and tests the efficacy of those safeguards. It also requires T.J.X. to provide the
attorneys general with periodic updates and reports of compliance with this information security protocol.
T.J.X. is also required to notify the attorneys general within 10 days of any security breach.
As to the monetary settlement, under this agreement, T.J.X. will pay the states $9.75 million: 5.5 of that
million dollars will be dedicated to data protection and consumer protection affected by the states, to be
divided among those states; $1.75 million will reimburse the costs and fees of the investigation to the
states; $2.5 million of the total will fund a data security trust fund, to be used by the attorneys general to
advance enforcement efforts and policy development in the field of data security, and protecting
consumers’ personal information.
Massachusetts is the lead state in this effort, will hold the money in trust, for the benefit of the states, with
a committee of five to determine for what that money should be used. Some examples would be to
research technology, best practices protocol, and model legislation, as well as to develop and implement
programs, education and outreach for data security to protect consumers.
Massachusetts will receive nearly $1 million of the total paid, some to be used for attorneys fees, and
Massachusetts will use the remainder of the fees to enhance existing protection for consumer personal
data, including consumer education, and resolution of reported breaches to the Massachusetts Attorney
General’s Office under our own law regarding data privacy.
T.J.X. has been cooperative without the attorneys general throughout this investigation and we believe
that by reaching today’s settlement we avoid lengthy and extensive litigation. And we also provide both
accountability for T.J.X., given this massive breach, and also allow the states, with T.J.X., to improve
consumer protections for their customers, and others throughout the country. We believe it is a successful