The lawsuit alleges that TJX did not properly secure customer credit and debit card information and accuses the company of not alerting customers to the security breach for a month. The suit seeks compensation for damages incurred by affected customers and requests the company provide credit monitoring services.
The lawsuit was filed after a security breach at TJX in which a computer hacker stole customers' personal information from the company's computer system. The stolen information includes retail transactions from 2003 and transactions from mid-May, 2006 through December, 2006. The information, which was stored by TJX, was taken from credit and debit card transactions, checks, and merchandise returns.
Previously, TJX had said it may offer credit monitoring for those customers whose information was compromised, however the company later said that service would not be provided, noting that they felt that credit monitoring would not be beneficial to their customers. TJX has not yet announced how many customers were affected by the breach although some experts believe millions of customers were compromised by the theft. By January 25, banks in New England had already identified at least 200,000 cards that were compromised by the breach.
TJX waited almost a month before telling customers that their personal information had been compromised. The company announced the breach on January 17 even though it discovered the breach in mid-December. However, the theft actually occurred in mid-May, 2006. The chairman of the company claimed that the public announcement was delayed because they were trying to contain the problem and protect their customers.
Information stolen includes credit and debit card information, driver's license numbers, names, and addresses. The thieves may have enough information on customers to commit identity theft. Between the time the information was stolen and the time the public announcement was made, fraudulent debit and credit card purchases were made in Florida, Georgia, Louisiana, Hong Kong, and Sweden.
In response to the information theft, banks have had to reissue hundreds of thousands of debit and credit cards to customers whose information was stolen.
Meanwhile, Rhode Island Attorney General Patrick C. Lynch began an investigation into the security breach on February 5. The investigation surrounds the company's inability to prevent hackers from getting into the computer system and its failure to notify customers of the security breach as soon as possible.
It is possible that TJX was storing more customer information than was necessary. Under credit-card network rules, retailers should not store information after a customer's identity and account balance have been confirmed, at most a couple of days. Once that is done, the information should be cleared. However, this is not a law and most retailers keep customers' personal information on file for much longer than that, sometimes more than two years.
TJX runs over 2,500 discount stores including T.J. Maxx, Marshalls, A.J. Wright and HomeGoods. In addition to a lawsuit in the U.S., the company also faces a class action lawsuit in Canada, where TJX owns Winners and HomeSense.