March 21, 2007 3:23 PM PDT

T.J. Maxx parent company sued in credit card hack probe

A major shareholder in T.J. Maxx and Marshalls parent company TJX Companies has filed a lawsuit to obtain documents concerning a hacking incident that left large amounts of customer credit card data vulnerable.

The Arkansas Carpenters Pension Fund, one of TJX's largest shareholders, filed the suit Monday in the Court of Chancery of the State of Delaware. The group claimed that TJX has "wrongfully denied (them) access to the materials" pertaining to the data breach, which began in May 2006 and ended early this year. The company discovered the intrusion in December and first announced in January that its systems had been compromised.

In the far-reaching hacking incident, credit and debit card data between January 2003 and June 2004 was potentially exposed for customers of all TJX stores in the U.S., Canada and Puerto Rico, with the exception of the Bob's Stores chain. There was also evidence of intrusion into the system that handles customer transactions for TJX's T.K. Maxx chain in the United Kingdom and Ireland. Some drivers license data may also have been left vulnerable.

No financial terms of the suit have been disclosed, and representatives from TJX--which is headquartered in Framingham, Mass., but registered as a corporation in Delaware--did not return requests for comment.

According to the complaint, TJX refused to give up documents pertaining to the data breach, including documents that detailed computer systems and protocols, correspondence with banks pertaining to potential customer data theft, transcripts and recordings of meetings regarding the affair, and relevant minutes from meetings of TJX's board of directors.

A Delaware state law allows a company's shareholders to access corporate documents in certain situations. The Arkansas Carpenters Pension Fund alleged in its complaint that obtaining the documents in question is "reasonably related to its interests as a shareholder," and that it has "serious concerns" about TJX's handling of the hacking incident.

In a separate investigation, some of the credit card data from TJX was found to have been used in a case of gift card fraud at Wal-Mart and Sam's Club stores in the vicinity of Gainesville, Fla. The Florida Department of Law Enforcement announced Monday that six people have been arrested for using stolen credit card information to purchase large quantities of gift cards, which they subsequently cashed at the stores for items like gaming consoles, computers and TVs.

According to the Gainesville Police Department, the total losses experienced by the Wal-Mart and Sam's Club stores, as well as banks that issued the stolen credit cards, are currently estimated to be over $8 million. The investigation remains ongoing.

See more CNET content tagged:
shareholder, credit card, hacking, document, Wal-Mart Stores Inc.

3 comments

Join the conversation!
Add your comment
insurance?
Is there an insurance policy that TJ Maxx or another business could buy that would pay the customers and banks costs for this incident?
Posted by 52olds (1 comment )
Reply Link Flag
I read the article about the Russian Gans hijacking PCs stealing credit card information, passwords and PIN numbers. It seems a bit unfair for the courts to claim TJMax was remiss in their duties to keep track of what hackers are doing, when they are so bent on stealing in ever-increasing creative ways.

This case is akin to a supermarket purchasing the more expensive cash registers that are nearly impossible to open with a hammer or a few bullets from a rifle just to obtain the lower premiums for theft insurance. At some point, the supermarket would have to bolt the entrance doors during business hours to keep their morning change all day and night. Not good for business, but the funds would be secure.

Since that idea is not good for anyone from consumers to macro economy, there should be a standard of laws in place that demonstrate a retail store has taken reasonable precautions to protect their customers from creative theives, and beyond that point it is a matter of national security and federal funding that would protect our American economy, not punish Super stores who are trying to make a buck.

As the writer points out, if people are afraid to spend money, we all suffer as a nation which has global implications.

If we take this argument to a murder case, there is only so much mom and pops can do to protect their children as they approach the age of 18. If their son or daughter is murdered on their way to school, we don't punish the parents. Society and government grieves while actively

1. pursuing the murderer and bring to justice, and

2. create laws with penalties that we hope will
discourage this deadly activity in the future.

In the instant case, TJMax did not "give away" their customer's identification and personal financial information. TJMAX needs its customers to fearlessly purchase their products to survive, too. We all need each other to make the economy work, and like the insurance companies and the old west posse, find ways as a team to crush the efforts of criminals.

If TJMax is at fault, then their insurance company was remiss, too....along with all of the corporate owners of the credit cards, debit cards, banks and credit bureaus who failed to implement procedures and guidelines for retailers to do business using their credit cards in a safe and secure manner. But to punish TJMAX using hindsight at 20/20, is totally unfair to TJMAX.


Go to: <a class="jive-link-external" href="http://www.consumeraffairs.com/news04/2007/01/congress_privacy.html" target="_newWindow">http://www.consumeraffairs.com/news04/2007/01/congress_privacy.html</a>

and you will note that Congress has a few proposed bills to resolve the matter, however, our government has not taken a stand on what specific protections "the government should take on the VA office" and for that matter leaves the gates wide open to penalize TJMaxx. So there is a free for all lawsuit against TJMAX by the credit card owners and any one else who could make a claim that TJMAX is at fault for not doing EVERYTHING possible known to man to protect its customers. We drive cars, and by law we are required to have insurance, but when we have accidents and people die, the insurance does not bring anyone back to life. There is a limit to what laws and protections we can adopt that makes sense. Just as insurance premiums paid on time does not prevent death by automobiles, trucks, and airplanes, TJMaxx, nor any other retailer can protect its customers from theft
when the playing field is populated with creative-intelligent-software-thieves.

The money TJMAXX is paying in penalties between credit card owners and other corporations that have claims against TJMAXX, would be better spent purchasing stocks of companies engage in creating more complex methods to recognize the presence of a thief's software, hardware and portals being used, not only to stop them, but to identify their source, address and have the Feds and Police at their
door step in minutes of notification. This constant transfer of wealth from TJMAX and Marshalls, etc, is a waste of cash exchange when all parties are suffering and after the exchange of cash, does not bring any party closer to solving the problem.

Well, that's my opinion for the record.
Posted by WHO2BLAME (2 comments )
Link Flag
I read the article about the Russian Gans hijacking PCs stealing credit card information, passwords and PIN numbers. It seems a bit unfair for the courts to claim TJMax was remiss in their duties to keep track of what hackers are doing, when they are so bent on stealing in ever-increasing creative ways.

This case is akin to a supermarket purchasing the more expensive cash registers that are nearly impossible to open with a hammer or a few bullets from a rifle just to obtain the lower premiums for theft insurance. At some point, the supermarket would have to bolt the entrance doors during business hours to keep their morning change all day and night. Not good for business, but the funds would be secure.

Since that idea is not good for anyone from consumers to macro economy, there should be a standard of laws in place that demonstrate a retail store has taken reasonable precautions to protect their customers from creative theives, and beyond that point it is a matter of national security and federal funding that would protect our American economy, not punish Super stores who are trying to make a buck.

As the writer points out, if people are afraid to spend money, we all suffer as a nation which has global implications.

If we take this argument to a murder case, there is only so much mom and pops can do to protect their children as they approach the age of 18. If their son or daughter is murdered on their way to school, we don't punish the parents. Society and government grieves while actively

1. pursuing the murderer and bring to justice, and

2. create laws with penalties that we hope will
discourage this deadly activity in the future.

In the instant case, TJMax did not "give away" their customer's identification and personal financial information. TJMAX needs its customers to fearlessly purchase their products to survive, too. We all need each other to make the economy work, and like the insurance companies and the old west posse, find ways as a team to crush the efforts of criminals.

If TJMax is at fault, then their insurance company was remiss, too....along with all of the corporate owners of the credit cards, debit cards, banks and credit bureaus who failed to implement procedures and guidelines for retailers to do business using their credit cards in a safe and secure manner. But to punish TJMAX using hindsight at 20/20, is totally unfair to TJMAX.


Go to: <a class="jive-link-external" href="http://www.consumeraffairs.com/news04/2007/01/congress_privacy.html" target="_newWindow">http://www.consumeraffairs.com/news04/2007/01/congress_privacy.html</a>

and you will note that Congress has a few proposed bills to resolve the matter, however, our government has not taken a stand on what specific protections "the government should take on the VA office" and for that matter leaves the gates wide open to penalize TJMaxx. So there is a free for all lawsuit against TJMAX by the credit card owners and any one else who could make a claim that TJMAX is at fault for not doing EVERYTHING possible known to man to protect its customers. We drive cars, and by law we are required to have insurance, but when we have accidents and people die, the insurance does not bring anyone back to life. There is a limit to what laws and protections we can adopt that makes sense. Just as insurance premiums paid on time does not prevent death by automobiles, trucks, and airplanes, TJMaxx, nor any other retailer can protect its customers from theft
when the playing field is populated with creative-intelligent-software-thieves.

The money TJMAXX is paying in penalties between credit card owners and other corporations that have claims against TJMAXX, would be better spent purchasing stocks of companies engage in creating more complex methods to recognize the presence of a thief's software, hardware and portals being used, not only to stop them, but to identify their source, address and have the Feds and Police at their
door step in minutes of notification. This constant transfer of wealth from TJMAX and Marshalls, etc, is a waste of cash exchange when all parties are suffering and after the exchange of cash, does not bring any party closer to solving the problem.

Well, that's my opinion for the record.
Posted by WHO2BLAME (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.