US retailer TJX has agreed to pay up to $24 million in a settlement with MasterCard following the massive security breach at its operations that resulted in the theft of millions of credit and debit card numbers.
Under the terms of the agreement, the retailer will pay up to £24 million to MasterCard issuers that were forced to re-issue payment cards following the data breach, in which over 94 million Visa and MasterCard accounts may have been exposed.
The deal is dependent on at least 90% of MasterCard issuers accepting the terms by 2 May, says TJX, and will be paid in the second quarter. TJX says the amount paid is covered by a $107 million reserve taken in relation to the breach.
The agreement follows a $40.9 million settlement with Visa that was disclosed in November last year. That pact was dependent on 80% of Visa issuers accepting the agreement, however TJX said in December that over 95% of eligible Visa issuers agreed to the deal.
Like the Visa agreement, the MasterCard pact is dependent on issuers agreeing not to sue TJX over the hacking.
In a statement Carol Meyrowitz, TJX president and CEO, says: "We believe this settlement agreement provides a fair resolution for MasterCard and its issuing banks and look forward to a high level of issuer acceptance."
In a MasterCard statement, Joshua Peirez, chief payment system integrity officer, says: "We believe that by working closely and cooperatively with issuers and merchants we can reduce the overall impact and costs of security breaches, while protecting consumers and accelerating fair and equitable resolutions of claims."
TJX also settled with the Federal Trade Commission last month, which said the retailer "failed to use reasonable and appropriate security measures to prevent unauthorized access to personal information on its computer networks". Under the FTC settlement TJX is required to submit to an independent security audit every two years for the next 20 years.
In December the retailer also reached a settlement with all but one of the seven banks and banking associations that had filed lawsuits following the security breach.
The retailer originally revealed on 17 January 2007 that the computer system it uses to process and store data relating to customer transactions had been hacked, potentially exposing millions of credit and debit card numbers. Data exposed in the breach is thought to have been used to make fraudulent purchases in Florida, Georgia and Louisiana in the US, as well as in Hong Kong and Sweden.
News of TJX's settlement with MasterCard comes as America's Identity Theft Resource Center, a non-profit organisation, warns that the number of data security breaches more than doubled in the first quarter in the US.
There were 167 breaches reported during the first quarter of 2008, this is more than double the first quarter in 2007 when 76 incidents were reported and more than a third of the total number of breaches for calendar 2007.
Already this year there have been a number of high-profile large-scale security breaches including an incident at GE Money where a computer tape containing confidential data belonging to over 650,000 credit card holders was lost and at US supermarket chain Hannaford where 4.2 million credit and debit card accounts were compromised after fraudsters installed malware on servers at all of the retailer's 300 stores.