US retailer TJX says it has reached a settlement with all but one of the seven banks and banking associations that filed lawsuits following the massive data breach at its operations that resulted in the theft of millions of credit card numbers.
In a statement TJX says it has entered into a settlement agreement with the Massachusetts Bankers Association, Connecticut Bankers Association and Maine Association of Community Banks, along with Eagle Bank, Saugusbank and Collinsville Savings Society.
Under the agreement the bank and banking groups will dismiss all of claims against TJX.
Terms of the settlement weren't disclosed, but TJX says the amount paid is covered by a $107 million reserve taken in the second quarter. The retailer will pay part of the costs and expenses the banks incurred, excluding attorney fees.
However one of the community banks that sued TJX over the breach - Alabama-based Amerifirst Bank - didn't agree to the retailer's settlement. Inge Johnstone, a lawyer for Amerifirst, told reporters that TJX caused a "grave injustice" to banks across the country and many of those banks are small community banks like Amerifirst.
The settlement comes about six months after the suit was filed in US District Court in Boston and follows a separate settlement agreement between TJX and Visa that was disclosed on 30 November. In that agreement TJS agreed to pay as much as $40.9 million for losses incurred by US Visa issuers that were forced to re-issue payment cards following the breach. This deal is contingent on acceptance by banks representing at least 80% of the Visa-card accounts involved.
The retailer originally revealed on 17 January that the computer system it uses to process and store information related to customer transactions had been hacked, potentially exposing millions of customers' credit and debit card numbers, as well as driver's licence information.
Hackers placed unauthorised software on TJX's computer network and stole at least 100 files containing data on millions of accounts from systems in Framingham, Massachusetts and Watford, UK.
Debit and credit card data exposed in the breach is thought to have been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.
So far no arrests have been made of people suspected to have broken into TJX's systems, although in September the ringleader of a gang that used data stolen during the TJX hacking was sentenced to five years in prison and ordered to pay nearly $600,000 in restitution.