Retail giant TJX has agreed to pay around $9.75 million as part of a settlement with a group of 41 state attorneys general investigating the massive security breach at its operations that resulted in the theft of millions of credit and debit card numbers.
Under the settlement, TJX will pay $5.5 million and provide $2.5 million to establish a new data security fund for use by the states to advance effective security and technology. A further $1.75 million will be paid to cover the costs of the investigations.
In addition, the company has to certify that its computer system meets detailed data security requirements specified by the states as well as "encourage" the development of new technologies to address "systemic vulnerabilities" in the US card system.
In a statement, the firm says it believes it did not violate any consumer protection or data security laws and decided to settle in order to concentrate on its core business "without distraction".
Jeffrey Naylor, chief financial and administrative officer, TJX Companies, says: "Under this settlement, TJX and the Attorneys General have agreed to take leadership roles in exploring new technologies and approaches to solving the systemic problems in the US payment card industry that continue to plague businesses and institutions and that make consumers in the United States worldwide targets for increasing cyber crime."
TJX says the cost of the settlement was reflected in a reserve it established in 2007.
The company has already reached a $40.9 million settlement with Visa and a $24 million deal with MasterCard over the breach. It has also settled with the Federal Trade Commission, requiring it to submit to an independent security audit every two years for the next 20 years.
TJX originally revealed on 17 January 2007 that the computer system it uses to process and store data relating to customer transactions had been hacked, potentially exposing millions of credit and debit card numbers.
Hackers placed unauthorised software on TJX's computer network and stole at least 100 files containing data on millions of accounts from systems in Framingham, Massachusetts and Watford, UK.
Debit and credit card data exposed in the breach is thought to have been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.