Skip to page content Skip to site navigation
Home :: Open Government :: News :: 2009 :: June
AG Chris Koster | FAQs
Missouri Attorney General


Browse by month and year

Search by keyword(s)

Attorney General's News Release

June 23, 2009

Attorney General Chris Koster announces multi-state settlement with the TJX Companies, Inc., over massive data breach

Jefferson City, Mo. - Attorney General Chris Koster today announced a settlement between Missouri and 39 other states, and the TJX Companies, Inc., resolving an investigation concerning TJX's data-security practices and whether they adequately protected customers' financial information and sufficiently guarded against a massive data breach that placed thousands of consumers' personal data at risk.

Under the terms of the settlement, TJX will implement and maintain a comprehensive information security program to address weaknesses in its computer security systems at the time of the breach. In addition, Missouri will receive $67,423.80 to aid consumer protection enforcement.

"Data privacy is of great concern to my office. Customer data should be kept secure by companies that deal with the public so that personally identifying information is not exposed to computer hackers," Koster said. "This resolution helps ensure customer privacy."

The coalition of Attorneys General launched an extensive investigation into TJX's data security policies and procedures after a breach in 2007 where individuals obtained cardholder data and other personally identifiable information. That investigation uncovered a number of vulnerabilities and flaws in TJX's data security systems.

The settlement requires TJX to implement an information security program designed to guard against future intrusions or unauthorized disclosures. The settlement ensures that TJX will employ a comprehensive "Information Security Program" that assesses internal and external risks to consumers' personal information, implements the safeguards that will best protect that consumer information, and regularly monitors and tests the efficacy of those safeguards. TJX also will report regularly to the Attorneys General on the efficacy of its program, after obtaining a third-party assessment of its systems.

Specifically, TJX must:

  • Upgrade all Wired Equivalency Privacy ("WEP') based wireless systems in TJX retail stores to wired systems or Wi-Fi Protected Access ("WPA") wired systems;
  • Not store credit card or debit card data on its network any longer than necessary for legitimate business purposes;
  • Appropriately segment from the rest of the TJX computer system those network-based portions of the TJX computer system that store, process or transmit personal information, by firewalls, access controls, and other appropriate measures; and
  • Implement proper security password management for portions of the TJX computer system that store, process or transmit personal information.

State homepage   |    Missouri statutes   |    Forms   |    Site Map   |    Accessibility   |    Privacy Policy   |    Contact Us  Follow AGO on Twitter!  RSS Feed  RSS Feed