This incident has 0 proposed changes. Know of details that have changed? Submit them Showing Incident 548

SUMMARY

Hack exposes 94 million credit card numbers and transaction details
Records	94,000,000
Record Types	CCN NAA
Breach Type	Hack
Data Family	Electronic
Source	Outside
Organization	TJX Companies Inc.
Other Affected/Involved Organizations	None
Lawsuit?	YES
Data Recovered?	NO/UNKNOWN
Arrest?	NO/UNKNOWN
Submitted By:	Anonymous

STOCK PRICE

Chart?chxt=x,y&chxl=0:|jan-3|jan-24|feb-13|&chxr=1,27.30,30.23&cht=lc&chd=t:28.67,29.72,29.08,28.89,29.27,29.49,29.94,29.94,29.85,29.63,29.5,30.03,29.95,29.84,30.04,29.79,29.5,29.39,29.47,29.57,28.49,28.69,28.11,28.35,28.18,28.6,28.09,28.05,28.1,28.62,28.72,28.47,28.62,28.18,28.64,28.47,28.25,27.54,27.5,27.52,27.3|29.34,29.34,29.38,29.38,29.20,29.20,29.26,29.26,29.25,29.25,29.30,29.30,29.49,29.49,29.63,29.63,29.66,29.66,29.63,29.63,29.54,29.54,29.63,29.63,29.47,29.47,29.58,29.58,29.83,29.83,29.49,29.49,29.46,29.46,29.42,29.42,29.59,29.59,29.79,29.79,29.95,29.95,30.00,30.00,29.97,29.97,29.99,29.99,30.03,30.03,30.00,30.00,29.78,29.78,29.69,29.69,29.91,29.91,30.14,30.14,30.17,30.17,30.15,30.15,30.23,30.23,30.19,30.19,30.16,30.16,30.06,30.06,30.02,30.02,28.98,28.98,29.14,29.14,29.06,29.06,28.73,28.73&chds=27.30,30.23&chco=008000,aaffff,ffaaff,ffffaa&chs=460x320&chm=v,990066,0,10,1

SIMILAR INCIDENTS

records	date	organizations
90,000,000	1984-06-01	TRW, Sears Roebuck
77,000,000	2011-04-26	Sony Corporation
50,000,000	2008-08-27	Unknown Organization

TIMELINE

Date	Event
None. Add Data	Incident Occurred
New Timeline Item For Incident Occurred Date Reference URL Spam Check: Are you human?
None. Add Data	Incident Discovered By Organization
New Timeline Item For Incident Discovered By Organization Date Reference URL Spam Check: Are you human?
2007-01-17	Organization Reports Incident
New Timeline Item For Organization Reports Incident Date Reference URL Spam Check: Are you human?
None. Add Data	Organization Mails Notifications
New Timeline Item For Organization Mails Notifications Date Reference URL Spam Check: Are you human?
None. Add Data	Records Recovered
New Timeline Item For Records Recovered Date Reference URL Spam Check: Are you human?
2007-01-29	Lawsuit Filed
New Timeline Item For Lawsuit Filed Date Reference URL Spam Check: Are you human?
2008-08-21	Arrest Made
New Timeline Item For Arrest Made Date Reference URL Spam Check: Are you human?

MAP OF INCIDENT LOCATION

Address: USA
Have a better address for this incident? Suggest it!

suggest a new reference

REFERENCES

suggest a new attachment

ATTACHMENTS

tjx_companies_settlements.pdf STATE OF NEW YORK EXECUTIVE DEPARTMENT CONSUMER PROTECTION BOARD FTC/TJX Companies, Data Brokers and Other Settlements report

KNOWN COURT CASES

CLOSED - SETTLED

States Attorneys General v. TJX Companies, Inc.

Filed On

Justia Link

Pacer Link

Court

Federal?

Case Number

Pacer Case Number

Incident

2009-06-23

N/A

Various

false

548

Case Files

Assurance of Discontinuance

Awards / Settlements

Award	Monetary Value	Description
Discretionary Funds	$5,500,000.00	$5.5 million to be distributed as designated by and in the sole discretion of the Attorneys General as part of the resolution of their respective investigations under the state consumer protection laws regarding the Subject Matter of this Assurance. Said payment shall be used by the Attorneys General to fund or assist in funding, consumer education, outreach, prevention or monitoring programs, consumer protection enforcement, litigation, local consumer aid funds, consumer protection enforcement funds and
Data Security Fund	$2,500,000.00	Data Security Fund. $2.5 million payable to the Massachusetts Office of the Attorney General, to be distributed as designated by and in the sole discretion of the Attorneys General for the purposes of initiatives by the States to research the benefits of data security technology and develop best practices, protocols, policies or model legislation or regulations concerning data security or data security technology; and develop and implement programs, education and outreach for consumers with respect to data security; for other efforts to examine data security matters and to protect consumer privacy; and for other uses permitted by state law. This payment ($2.5 million) to the Data Security Fund shall be held in trust by the Massachusetts Office of the Attorney General for the benefit of the Attorneys General of the States consistent with this paragraph VII.A.2. Distributions from the Data Security Fund may come from interest or principal and shall be made only pursuant to instructions from a majority of the five State Attorneys General that comprise the Data Security Fund Committee, namely, the Attorneys General of California, Florida, Massachusetts, Pennsylvania and Tennessee;
Attorney Fees and Costs	$1,750,000.00	Attorney Fees and Costs
	$9,750,000.00

OSF Summary

This settlement was agreed to by 41 states attorney's general, led by Massachusetts. It essentially settles all lawsuits filed by the 41 signatories, in exchange for various criteria (security steps that the organization has to abide by and/or implement), as well as some monetary awards detailed above.

There was no single, federal lawsuit field by the attorney's general, instead this addresses all the individual lawsuits filed in state courts by the attorneys general.

CLOSED - SETTLED

CONSUMER - In Re: TJX Companies Retail Security Breach Litigation

Filed On

Justia Link

Pacer Link

Court

Federal?

Case Number

Pacer Case Number

Incident

2007-01-29

Pacer Docket

Justia

District of Massachusetts

true

1:07-cv-10162-WGY-CONSUMER

548

Case Files

Awards / Settlements

Award	Monetary Value	Description
Plaintiffs Attorney's Fees	$6,500,000.00	Plaintiffs Attorney's Fees
Self-Certification Vouchers for the Class	$7,000,000.00	People who claim to have made a purchase and suffered damages can self-certify for a $30 voucher.
Documentary Support Vouchers for the Class	None	Un-capped pool of vouchers for class members who can demostrate a purchase during the timeframe. Seems to be capped at $60 per claimant, but not certain.
	$13,500,000.00

OSF Summary

Consolidated class-action lawsuits against TJX Companies, Inc. Broken into tracks, the 'consumers track', and the 'financial institutions' track.

KNOWN NON-COURT COSTS

Name	Date	Reference	Monetary Value	Description
TJX settlement with VISA	2007-11-29	reference	$40,863,000.00	Settlement agreement between VISA and TJX Corporation regarding the TJX data breach. Requires a certain percentage of banks to agree to the settlement. TJX announced a 95% acceptance rate in late December, 2007.
TOTAL COST			$40,863,000.00

COSTS SUMMARY

Known Actual Costs

Monetary Awards from Court Cases	$23,250,000.00
Other Known Costs	$40,863,000.00
TOTAL KNOWN COSTS	$64,113,000.00

Estimated Costs

Ponemon Institute Direct Costs Estimate ¹

$5,640,000,000.00

Note that these estimates are based on the Ponemon Institute's 2009 direct costs figures from their 2009 Annual Study: Cost of a Data Breach. We multiply $60.00 by the number of records to obtain this figure. Keep in mind that depending on the breach, the direct costs are not always suffered by the breached organizations. In the case of credit card number breaches, the direct costs can often be suffered by banks and card issuers. Also note that this is only an estimate.

PRIMARY SOURCES

Primary Source ID: 339

add details to this primary source Description
TJX Breach notification to New Hampshire.
Filename	Source	Researcher	Incident IDs
NH_TJX.pdf	New Hampshire Consumer Protection & Antitrust Bureau	kirniki	<a href='/incidents/show/548'>548</a>
Records	File Date	Uploaded	Updated
Not yet entered	2007-01-17	2008-12-04	23 Sep 15:40
Excerpt
eélsééeliiiéliil ‘`" ar wiz;wgxf.c<2ll1l$.~1eir:@1$i, czisw; BY Fax and ClVC5‘F§1i_ghI Deliverv Jzsuluzuy lf, S200? Hzminpshgire Depamxlent0if.§“11sii’ce Q c Ofii cc affine A‘ttc1i1·1ejyGeue1‘al CU]...

Click here for the Full Details | Download Raw PDF

Primary Source ID: 702

add details to this primary source Description
Breach notification re: TJX to North Carolina.
Filename	Source	Researcher	Incident IDs
NC_tjx_companies.pdf	North Carolina Department of Justice, Consumer Protection Division	cwalsh	<a href='/incidents/show/548'>548</a>
Records	File Date	Uploaded	Updated
Not yet entered	2007-01-17	2008-12-11	23 Sep 19:06
Excerpt
ry fry r:ea~tz»~r rirtmz wt By Fax and Overnight Delivery Y January 17, 2007 Office of the Attorney General Consumer Protection Division North Carolina Department of Justice 9001 Mail Service Cent...

Click here for the Full Details | Download Raw PDF

Primary Source ID: 747

add details to this primary source Description
TJX Breach notification to NY
Filename	Source	Researcher	Incident IDs
NY_tjx2.pdf	New York State Consumer Protection Board	cwalsh	<a href='/incidents/show/548'>548</a>
Records	File Date	Uploaded	Updated
332	2007-01-24	2008-12-25	02 Jan 19:46
Excerpt
0i-31-07 I 05:05pm » From-HUNTON It WILLIAMS 2l2300Ii08 T—04i P.00l/000 F-II3 mnvrow tz WILLIAMS LLP M I' I 200 t>xttu<.Avr;tvu1: NEW YORK, NEW YORK lOl66-0005 I M Teo 2l2·309·l000 _ mx 2tz·2oo...

Click here for the Full Details | Download Raw PDF

Primary Source ID: 782

add details to this primary source Description
Hudson River Community Credit Union breach notification to NY regarding TJX breach.
Filename	Source	Researcher	Incident IDs
NY_hudson_river_community_credit_union.pdf	New York State Consumer Protection Board	cwalsh	<a href='/incidents/show/548'>548</a>
Records	File Date	Uploaded	Updated
2071	2007-01-25	2008-12-25	02 Jan 19:46
Excerpt
Jlgludson Main Office Cohoes Office Glens Falls Gffice 0 312 Palmer Avenue 98 Niver Street 160 Broad Street cT·f·‘‘‘ ii, 2. ,,1_ , Corinth, NY 12822 cehees, NY 12047 Glens Falls, NY 12801...

Click here for the Full Details | Download Raw PDF

Primary Source ID: 1167

add details to this primary source Description
Unauthorised access to credit card information by hacking the system
Filename	Source	Researcher	Incident IDs
ME_01192007_tjx_companies.pdf	Maine Attorney General	kirniki	<a href='/incidents/show/548'>548</a>
Records	File Date	Uploaded	Updated
Not yet entered	2007-01-17	2009-01-29	31 Jan 20:15
Excerpt
I "iY CO.-]·]J'€·l.\i1ES. L\`( *:¥.¥;·1. <¤T?ai ;¤-, _Q ;>;-ivj -¥1.:f=;i By Fax and Overnight Delivery CO NS UME - R PROT·»;CZ'lON orvlsrow R E C k ll! E L; January l7, 2007 I. I JAN an -. Maine...

Click here for the Full Details | Download Raw PDF

Primary Source ID: 1179

add details to this primary source Description
There was a large-scale security breach of the company's computer system which stored customer's transactions over several years. This resulted in a compromise of names, credit card numbers and expiration dates.
Filename	Source	Researcher	Incident IDs
ME_03122007_tower_federal_credit_union.pdf	Maine Attorney General	kirniki	<a href='/incidents/show/548'>548</a>
Records	File Date	Uploaded	Updated
Not yet entered	2007-02-26	2009-01-29	15 Apr 20:08
Excerpt
Tower Federal L Credit Union r = i M envision: February 26, 2007 RECEIVED MAR 1 2 znuz ` ‘* Office of the Maine Attorney General SFF A S Consumer Protection Division ICE OF ATTQRNEY GENERAL 6 Stat...

Click here for the Full Details | Download Raw PDF

Videos

COMMENTS

by d2d [Data Loss Maven] on 2009-01-30 (over 3 years ago)

We state 94 million records, unlike many media reports since the event occurred, because the MA Bankers Association, in their suit against TJX, stated at LEAST 94 million individual cards affected.

To our knowledge, 94 million claimed by the bankers association has not been disputed.

See the references section for details.