Customers On T.J. Maxx Data Breach: Some Sue, Others SpendCustomers On T.J. Maxx Data Breach: Some Sue, Others Spend

The costs and lawsuits continue to grow for TJX Companies -- parent of T.J. Maxx, Marshalls, and other retailers -- thanks to the now-infamous security breach to its IT systems, but the threat of identity theft and credit card fraud aren't enough to keep shoppers away.

The company Thursday reported a $20 million computer-intrusion-related charge for its third quarter, ended April 28. Sales were up about 6%, to $4.11 billion, from the same quarter a year ago.

Although the timing and extent of the intrusion into TJX's IT systems is in dispute, the company reported late last year that it suffered an unauthorized intrusion or intrusions into portions of its computer system that process and store information related to credit and debit card, check, and no-receipt merchandise return transactions. This admission that customer information was stolen from some stores dating back to 2003 has opened the floodgates to lawsuits from store customers afraid of identity theft and from financial institutions whose customer service costs have increased as a result of worried clients.

TJX claimed in a regulatory filing Thursday that it does not know "who took this action, whether there were one or more intruders involved, or whether there was one continuing intrusion or multiple, separate intrusions." The $20 million, or 0.5% of net sales for the quarter, TJX already has spent related to the intrusion has gone toward investigating and containing the computer intrusion, work to improve the company's computer security and systems, communicating with customers, and technical, legal, and other related costs, the company stated.

Costs are likely to increase quickly. Payment card issuers, such as Visa, have initiated Payment Card Industry security standard compliance claims against some of TJX's acquiring banks seeking reimbursement, according to TJX, for about $4 million in fraudulent payment card transactions. The transactions were made with counterfeit payment cards believed to have been created using payment card transaction information allegedly stolen during the TJX computer intrusion. PCI members also could issue fines against TJX for noncompliance with the PCI standards.

That's just scratching the surface, as TJX is facing class-action lawsuits from customers in state and federal courts in Alabama, California, Illinois, Massachusetts, Michigan, Ohio, and Puerto Rico, as well as in provincial Canadian courts in Alberta, British Columbia, Manitoba, Ontario, Quebec, and Saskatchewan. Additional class-action suits from financial institutions affected by the computer intrusion -- those issuing credit and debit cards used during the time of the intrusion -- have been filed against TJX in federal court in Massachusetts. All-told, nine lawsuits have been filed against TJX since April 17.

TJX claims that it doesn't know the extent of any fraudulent use of any of the payment card information believed stolen and that the company doesn't know the details of the ongoing law enforcement investigations into the crime. The company is aware, however, that law enforcement and 37 state attorneys general are looking into whether the computer intrusion violated any laws regarding consumer protection. The company has received subpoenas from 11 of these attorneys general.