US chain settles data leak case

http://news.bbc.co.uk/go/rss/-/1/hi/business/7151294.stm

Version 0 of 1.

US retailer TJX, which owns TJ Maxx and UK outlet TK Maxx, has reached an out-of-court deal with a string of banks over a credit card data breach.

The scam saw hackers steal details of about 100 million credit and debit card transactions over several years.

The value of the settlement is confidential but includes payments to Visa and US bank associations to cover costs of replacing customers' cards.

The retailer has said that UK customers were not exposed to fraud.

TJX said it had also spent about $125m on improving security.

The settlement covered class actions in the United States, Puerto Rico and Canada.

Decryption tool

TJX reached a deal with all but one of the seven banks and bankers groups that sued it. Those who did sign up to the settlement - also designed to cover costs of monitoring fraud - have waived their rights to sue.

The data was accessed on TJX's systems in Watford, Hertfordshire, and Massachusetts over a 16-month period from July 2005 and covered transactions made by credit and debit card dating as far back as December 2002.

In its filing to the Securities and Exchange Commission earlier this year, the group said it believed "the intruder had access to the decryption tool for the encryption software utilized by TJX".

The firm had initially said that at least 45.7 million cards were exposed to potential fraud.

But it added that at least three-quarters of the affected cards had expired or data had been masked.