Skip to content
​Photo byztil301/Flickr

TJX Settles Data Breach for $9.7 Million

TJX Companies Inc.—parent company of T.J. Maxx, Marshalls, and Home Goods—will pay out $9.7 million to 41 states after hackers stole customers' payment card information in one of the biggest data breaches ever reported.

Pennsylvania Attorney General Tom Corbett, who announced the deal,said the settlement helps protect consumers from corporate negligence when using payment cards.

"Businesses have an obligation to make every possible effort to protect customer information, so that consumers are not left to struggle with fraud and theft simply because they made a purchase," he said.

The settlement also devotes $2.5 million of the total to create a national fund to investigate future data breaches.

The year-long hack attack that the TJX reported in January 2007, which stole 45.7 million credit and debit card numbers, has proven to be an expensive mistake for the company,reports

In April 2008, TJX agreed to pay as much as $24 million to cover costs incurred by banks that issue MasterCards. The company settled a separate complaint with the U.S. Federal Trade Commission in March 2008, and agreed in November 2007 to pay Visa’s issuers $40.9 million. Under the FTC agreement, TJX is required to start an information-security program and undergo an external audit every other year for 20 years.

TJX set aside $107 million in 2007 to deal with the security breach's fallout, despite company protestations that it did nothing wrong. The payment card industry thought otherwise and sued TJX for failing to follow nine of the 12 requirements, known as the PCI Data Security Standard, that credit card companies impose on retailers to secure card data,reported The Boston Globe in 2007.

Last month, according to, TJX said that it "firmly believes that it did not violate any consumer protection or data security laws."