TJX faces class action lawsuit in data breach

A class action lawsuit was filed yesterday in US District Court in Boston accusing TJX Cos. of negligence for failing to maintain adequate security of customer credit and debit card data and not disclosing the breach for a month.

The suit was filed on behalf of Paula G. Mace of Horner, W.Va., who had her debit card information stolen from the company's computer system. It is seeking credit monitoring services and any damages incurred by affected customers, according to Jonathan Shapiro , a partner with Stern Shapiro Weissberg & Garin of Boston, one of two firms that brought the case.

"Because of TJX's actions, hundreds of thousands or even millions of its customers have had their personal financial information compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages," according to the suit.

Both Mace and Sherry Lang, a TJX spokeswoman, would not discuss the case.

The lawsuit came as TJX chairman Ben Cammarata spoke out yesterday for the first time since the Framingham discounter disclosed on Jan. 17 that a hacker stole customers' personal data from its computer system dating as far back as 2003. TJX, which last week was considering offering credit monitoring for customers whose personal data was compromised, yesterday said it would not provide that service.

"Based on the type of data involved in the breach of our systems, we don't believe that such monitoring will be meaningful to customers," Cammarata said in a seven-minute video posted on TJX's website.

The chairman, in the video and full-page advertisements in several New England newspapers, also tried to clarify why the company waited more than a month to talk about the incident. Banking officials and retail consultants have estimated that millions of customers could be affected in what may be the biggest loss of customer data in US history.

Cammarata sought to reassure customers that it's safe to shop at TJX's more than 2,500 stores, including T.J. Maxx, Marshalls, and HomeGoods.

"By delaying a public announcement, with the help of top computer security experts, we were able to contain the problem and further strengthen our computer network to prevent further intrusion," Cammarata wrote in a full-page advertisement that appeared in the Boston Sunday Globe. "Therefore, we believe that we were acting in the best interest of our customers."

Cammarata also said the company now believes that customer transactions at Bob's Stores, and transactions using debit cards issued by Canadian banks, were not compromised in the breach.

Still, some consumers and crisis communications executives said Cammerata's comments are not only late but inadequate, and criticized TJX for refusing to disclose how many customers were affected and for leaving too many other questions unanswered. TJX has not said how many customers have been affected, but the Massachusetts Bankers Association has already reported credit- and debit-card fraud connected to the breach for unauthorized purchases made from Florida to Hong Kong. So far banks have reissued hundreds of thousands of cards.

Some security experts also challenged Cammarata's video statement yesterday that it would be extremely unlikely for thieves to commit identity fraud with the information that was stolen in this incident. Besides card numbers, TJX has said that a small number of customers' driver's license numbers, names, and addresses may also have been taken.

Steven D. Bearak , chief executive of Identity Force, a Framingham identity-theft-solutions company, said thieves who have only credit or debit card numbers can steal identities by combining them with other information, such as names, addresses, and Social Security numbers sold or traded on the black market, to piece together what he calls a "synthetic identity."

And while credit monitoring typically only watches for new credit lines opened in someone's name, Bearak said, credit-card monitoring services can be useful to detect potentially fraudulent charges on individual credit or debit accounts.

"Customers are at a high risk. This was an intentional, malicious intrusion into TJX's system," Bearak said. "This appears to have been an attack, well thought out, well planned, and well executed."

Separately, TJX also disclosed yesterday in a regulatory filing that TJX group president Alexander Smith resigned, and that Gary Crittenden, chief financial officer of American Express Co., stepped down from TJX's board.

TJX spokeswoman Lang said Smith left for an opportunity with another retailer. When asked whether Crittenden's resignation was connected to the security breach, Lang said the company doesn't comment on resignations of directors.

The changes come as TJX president Carol Meyrowitz assumed the chief executive's post on Sunday, as planned. Cammarata had been acting as chief executive and will remain chairman.

Jenn Abelson can be reached at abelson@globe.com.