Delaware News


Attorney General’s Office announces agreement with TJX Companies over data breach

Department of Justice | Department of Justice Press Releases | Fraud | Date Posted: Wednesday, June 24, 2009



The Delaware Attorney General’s Office today announced it has reached an
agreement with the TJX Companies, Inc. (“TJX”) following a multi-state investigation of its data
security practices. The agreement resolves a 41-state investigation that explored whether TJX, owner
of discount retailers including T.J. Maxx, Marshalls, and HomeGoods, adequately protected
customers’ financial information and sufficiently guarded against a massive data breach that placed
thousands of consumers’ personal data at risk nationwide. As a result of the agreement, TJX will
implement an information security program to address the weaknesses in systems in place at the time
of the breach. Delaware will also receive $26,837 to aid consumer protection enforcement efforts.

“We have taken action to guard against identify theft and fraud,” stated Timothy Mullaney,
Director of the Attorney General’s Fraud and Consumer Protection Division. “As a result of this
investigation, specific steps are being taken to better protect Delawarean’s personally identifiable
information.”

In 2007, TJX announced that unauthorized persons had obtained access to its computer
systems, enabling them to seize cardholder data and other personally identifiable information. Upon
investigation, a number of vulnerabilities and flaws in its data security systems that facilitated the
unlawful intrusion were discovered. These flaws also allowed breaches to last undetected for an
unacceptable duration. The new TJX information security program will be designed to guard against
future intrusions or unauthorized disclosures.

Under the terms of its agreement with the states, TJX will employ a comprehensive system that
assesses internal and external risks to consumers’ personal information, implements safeguards that
will best protect that consumer information, and regularly monitors and tests the efficacy of those
safeguards. These safety protections include upgrading all Wired Equivalency Privacy (“WEP’) based
wireless systems in TJX retail stores; not storing credit card or debit card data from its network any
longer than necessary; establishing firewalls or other measures to segment network-based systems that
store, process, or transmit personal information; and implementing proper security password
management. TJX will also report regularly to the Attorneys General on the efficacy of its program
and obtain a third-party assessment of its systems.

Consumers are encouraged to report suspected misuse of personally identifiable information,
identity theft, or other consumer fraud by visiting www.attorneygeneral.delaware.gov or by calling the
Attorney General’s toll-free Consumer Hotline at 1-800-200-5424.
# # #

image_printPrint


Graphic that represents delaware news on a mobile phone

Keep up to date by receiving a daily digest email, around noon, of current news release posts from state agencies on news.delaware.gov.

Here you can subscribe to future news updates.

Attorney General’s Office announces agreement with TJX Companies over data breach

Department of Justice | Department of Justice Press Releases | Fraud | Date Posted: Wednesday, June 24, 2009



The Delaware Attorney General’s Office today announced it has reached an
agreement with the TJX Companies, Inc. (“TJX”) following a multi-state investigation of its data
security practices. The agreement resolves a 41-state investigation that explored whether TJX, owner
of discount retailers including T.J. Maxx, Marshalls, and HomeGoods, adequately protected
customers’ financial information and sufficiently guarded against a massive data breach that placed
thousands of consumers’ personal data at risk nationwide. As a result of the agreement, TJX will
implement an information security program to address the weaknesses in systems in place at the time
of the breach. Delaware will also receive $26,837 to aid consumer protection enforcement efforts.

“We have taken action to guard against identify theft and fraud,” stated Timothy Mullaney,
Director of the Attorney General’s Fraud and Consumer Protection Division. “As a result of this
investigation, specific steps are being taken to better protect Delawarean’s personally identifiable
information.”

In 2007, TJX announced that unauthorized persons had obtained access to its computer
systems, enabling them to seize cardholder data and other personally identifiable information. Upon
investigation, a number of vulnerabilities and flaws in its data security systems that facilitated the
unlawful intrusion were discovered. These flaws also allowed breaches to last undetected for an
unacceptable duration. The new TJX information security program will be designed to guard against
future intrusions or unauthorized disclosures.

Under the terms of its agreement with the states, TJX will employ a comprehensive system that
assesses internal and external risks to consumers’ personal information, implements safeguards that
will best protect that consumer information, and regularly monitors and tests the efficacy of those
safeguards. These safety protections include upgrading all Wired Equivalency Privacy (“WEP’) based
wireless systems in TJX retail stores; not storing credit card or debit card data from its network any
longer than necessary; establishing firewalls or other measures to segment network-based systems that
store, process, or transmit personal information; and implementing proper security password
management. TJX will also report regularly to the Attorneys General on the efficacy of its program
and obtain a third-party assessment of its systems.

Consumers are encouraged to report suspected misuse of personally identifiable information,
identity theft, or other consumer fraud by visiting www.attorneygeneral.delaware.gov or by calling the
Attorney General’s toll-free Consumer Hotline at 1-800-200-5424.
# # #

image_printPrint


Graphic that represents delaware news on a mobile phone

Keep up to date by receiving a daily digest email, around noon, of current news release posts from state agencies on news.delaware.gov.

Here you can subscribe to future news updates.