TK Maxx owner offers $41 million for record-breaking data breach

The head of risk at credit card firm Visa has called for greater security in retail payment systems. The call came as a deal was announced under which TK Maxx owner TJX will pay out $41 million over its recent customer data breach.

The credit card details of more than 45 million TJX customers were compromised in March when data thieves broke into insecure computer systems and took the details. It is thought to be the biggest data breach ever.

The company has now agreed to pay out $40.9 million to Visa member banks in return for those banks agreeing "to release TJX and its U.S. acquirers from legal and financial liability," according to a statement from Visa and TJX.

TJX was criticised at the time of the breach for having lax data security. Some of the information was obtained by simply hacking into wireless networks used to transmit credit card details.

Visa's head of global risk management Ellen Richey said she hoped that companies would spend more on improving security. "We hope one outcome of this resolution is recognition that a greater investment in security is good business," she said. "It's clear the impact of a data compromise harms all payment system stakeholders – merchants, banks and consumers alike."

Visa and TJX said that banks would receive more under this scheme than under alternatives, and that they will have to agree not to pursue other fund recovery schemes in order to accept this one.

"It is expected that financial institutions will receive greater reimbursement by opting into the TJX settlement than they would have received under the traditional or ADCR programs," said the statement.

The incident received worldwide attention and will have involved some cards belonging to UK and Ireland customers because there were breaches there. Anyone who shopped between January 2003 and June 2004 is at risk, the company said at the time.

The deal offered to Visa is not available to banks outside the US, however.

TJX said at the time that 75% of the cards had expired or had their numbers blacked out, but did admit that decryption software programs might be able to fill in some of the blacked out numbers.