T.J. Maxx parent company sued in credit card hack probe

Major shareholder files lawsuit seeking documents related to an incident that left customer information vulnerable.

Caroline McCarthy Former Staff writer, CNET News
Caroline McCarthy, a CNET News staff writer, is a downtown Manhattanite happily addicted to social-media tools and restaurant blogs. Her pre-CNET resume includes interning at an IT security firm and brewing cappuccinos.
Caroline McCarthy
2 min read
A major shareholder in T.J. Maxx and Marshalls parent company TJX Companies has filed a lawsuit to obtain documents concerning a hacking incident that left large amounts of customer credit card data vulnerable.

The Arkansas Carpenters Pension Fund, one of TJX's largest shareholders, filed the suit Monday in the Court of Chancery of the State of Delaware. The group claimed that TJX has "wrongfully denied (them) access to the materials" pertaining to the data breach, which began in May 2006 and ended early this year. The company discovered the intrusion in December and first announced in January that its systems had been compromised.

In the far-reaching hacking incident, credit and debit card data between January 2003 and June 2004 was potentially exposed for customers of all TJX stores in the U.S., Canada and Puerto Rico, with the exception of the Bob's Stores chain. There was also evidence of intrusion into the system that handles customer transactions for TJX's T.K. Maxx chain in the United Kingdom and Ireland. Some drivers license data may also have been left vulnerable.

No financial terms of the suit have been disclosed, and representatives from TJX--which is headquartered in Framingham, Mass., but registered as a corporation in Delaware--did not return requests for comment.

According to the complaint, TJX refused to give up documents pertaining to the data breach, including documents that detailed computer systems and protocols, correspondence with banks pertaining to potential customer data theft, transcripts and recordings of meetings regarding the affair, and relevant minutes from meetings of TJX's board of directors.

A Delaware state law allows a company's shareholders to access corporate documents in certain situations. The Arkansas Carpenters Pension Fund alleged in its complaint that obtaining the documents in question is "reasonably related to its interests as a shareholder," and that it has "serious concerns" about TJX's handling of the hacking incident.

In a separate investigation, some of the credit card data from TJX was found to have been used in a case of gift card fraud at Wal-Mart and Sam's Club stores in the vicinity of Gainesville, Fla. The Florida Department of Law Enforcement announced Monday that six people have been arrested for using stolen credit card information to purchase large quantities of gift cards, which they subsequently cashed at the stores for items like gaming consoles, computers and TVs.

According to the Gainesville Police Department, the total losses experienced by the Wal-Mart and Sam's Club stores, as well as banks that issued the stolen credit cards, are currently estimated to be over $8 million. The investigation remains ongoing.