Академический Документы
Профессиональный Документы
Культура Документы
DISTRICT OF MASSACHUSETTS
:
IN RE TJX COMPANIES RETAIL SECURITY : MASTER DOCKET
BREACH LITIGATION : Civil Action No. 07-10162-WGY
: (Lead Case)
(Including cases transferred pursuant to THE :
TJX COMPANIES, INC. CUSTOMER DATA : MDL Docket No. 1838
SECURITY BREACH LITIGATION) :
__________________________________________:
:
THIS DOCUMENT RELATES TO: :
CONSUMER TRACK ACTIONS :
:
Plaintiffs Anne Cohen, ACohen Public Relations, LLC (“ACohen”), Julie Buckley,
LaQuita Kearney, Laura Lerner, Robert Mann, Jitka Parmet, Kimberly Myck-Rawson, Deborah
Wilson, Kathleen Robinson, Shannon Kidd, and Mary Robb Farley (collectively “Plaintiffs”)
hereby bring this class action suit against TJX Companies, Inc. (“TJX” or the “Company”) and
Fifth Third Bancorp (“Fifth Third”) (collectively “Defendants”). Plaintiffs make the following
allegations based upon the investigation undertaken by Plaintiffs’ counsel, which included,
inter alia, review and analysis of TJX’s public filings with the Securities and Exchange
Commission (“SEC”), TJX’s press releases, Defendants’ websites, various news articles, and
Certain plaintiffs in the actions consolidated herein are not set forth as named plaintiffs
herein. Those plaintiffs are not waiving or dismissing any rights. The Plaintiffs named herein
are perfectly adequate to represent this Class and to assert the claims contained herein.
NATURE OF THIS ACTION
1. Plaintiffs bring this class action suit on their own behalf and on behalf of all other
persons or entities in the United States, Puerto Rico, and Canada who shopped at TJX’s stores in
the United States, Puerto Rico, or Canada, made a purchase or return, and have had personal or
financial data stolen or compromised from TJX’s computer systems. This suit seeks to redress
information. As reported, the security breach at TJX represents the largest computer theft of
personal data in history. More specifically, this action arises from Defendants’ failure to
maintain adequate computer security of consumers’: (i) credit and debit card information; (ii)
drivers’ licenses, military, and state identification numbers, with related names and addresses and
sometimes containing social security numbers (collectively “Personal ID” information); and (iii)
check transaction information, all of which was accessed and stolen by computer hackers.
TJX, as well as industry experts, Defendants failed to comply with specific industry standards
governing the security of credit card and other data. Reportedly, TJX’s “wireless network had
less security than many people have on their home networks.” As a result, consumer information
was stolen from TJX’s computer systems that handle a wide range of financial information for its
customers, including transactions involving credit cards, debit cards linked to checking accounts,
millions of TJX’s customers have had their financial and personal information stolen or
compromised, have had their privacy rights violated, have been exposed to fraud and identity
theft or at least the risk thereof, and have otherwise suffered damages.
2
3. According to TJX, the hackers gained access into its systems “in July 2005, on
subsequent dates in 2005 and from mid-May 2006 to mid-January 2007,” meaning the security
breaches occurred during at least a fourteen month period. Inexplicably, TJX did not detect the
breach until mid-December 2006, eighteen months after the initial intrusion. TJX then waited
approximately one month to publicly announce the security breach on January 17, 2007.
Notably, TJX delayed announcing the breach until after the busy holiday shopping season, the
period in which the greatest amount of shopping occurs and the greatest amount of revenue is
earned by TJX and its subsidiaries, relative to its other financial quarters.
4. The compromised customer transactions took place at various points during a four
year period, from December 31, 2002 through December 18, 2006.
5. It has been reported that 45.7 million credit and debit cards have been
6. According to the May 4, 2007 Wall Street Journal article, TJX had an outdated
wireless network through which the hackers gained access. TJX had further computer
deficiencies, as it “failed to install firewalls and data encryption on many of its computers using
the wireless network, and didn't properly install another layer of security software it had bought.”
TJX also had “outmoded WEP encryption and missing software patches and firewalls.”
magnitude of the data breach (the largest in history), the lengthy period during which the
intrusions occurred (beginning at least as early as July 2005 and occurring over at least a fourteen
month period), the lengthy period in which the compromised transactions took place (four years
from December 31, 2002 forward), and the significant delay between the date of the first
3
intrusion in July 2005 and the date TJX finally discovered the intrusion in December 2006
(eighteen months), all serve as concrete evidence of Defendants’ negligence and other wrongful
conduct in failing adequately to safeguard and monitor TJX’s computer systems to ensure the
matter in controversy exceeds $5 million, at least one Plaintiff has diverse citizenship from at
least one Defendant, and there are more than 100 class members.
9. Venue properly lies in this District pursuant to 28 U.S.C. § 1391(a)(2) because the
cause of action arose in this District, and the unlawful conduct of Defendants, out of which the
PARTIES
10. Plaintiff Anne Cohen resides in Kingston, New York. Plaintiff Cohen’s debit
card information was stolen from TJX’s computer systems, and she has been damaged as a result.
Kingston, New York. Plaintiff Anne Cohen is the Principal of Plaintiff ACohen. ACohen’s
debit card information was stolen from TJX’s computer systems, and ACohen has been damaged
as a result.
12. Plaintiff Julie Buckley resides in Ann Arbor, Michigan. Plaintiff Buckley’s debit
card information was stolen from TJX’s computer systems, and she has been damaged as a result.
driver’s license number and other personal information were stolen from TJX’s computer
4
systems, and she has been damaged as a result.
driver’s license number and other personal information were stolen from TJX’s computer
debit card information was stolen from TJX’s computer systems, and he has been damaged as a
result.
16. Plaintiff Jitka Parmet resides in Camarillo, California. Plaintiff Parmet’s credit
and debit card information was stolen from TJX’s computer systems, and she has been damaged
as a result.
Rawson’s debit card information was stolen from TJX’s computer systems. She also believes
that her credit card information may have been stolen from TJX’s computer systems. She has
18. Plaintiff Deborah Wilson resides in Bedford, Ohio. Plaintiff Wilson’s driver’s
license number and other personal information were stolen from TJX’s computer systems, and
19. Plaintiff Kathleen Robinson resides in Lake County, Illinois. Plaintiff Robinson’s
credit card information was stolen from TJX’s computer systems, and she has been damaged as a
result.
Kidd’s credit card information was stolen from TJX’s computer systems, and she has been
5
damaged as a result.
21. Plaintiff Mary Robb Farley resides in Puerto Rico. Plaintiff Farley’s credit card
information was stolen from TJX’s computer systems, and she has been damaged as a result.
22. Defendant TJX is a Delaware corporation with its headquarters at 770 Cochituate
Road, Framingham, Massachusetts, 01701. TJX operates approximately 2,000 retail stores in the
United States and Puerto Rico under such chains as T.J. Maxx, Marshalls, HomeGoods, A.J.
Wright, and Bob’s Stores. These stores are located in at least 48 states throughout the country,
including Massachusetts. TJX also operates approximately 250 retail stores in Canada under
23. Defendant Fifth Third Bancorp is an Ohio corporation with its headquarters at 38
Fountain Square Plaza, Cincinnati, Ohio, 45263. Fifth Third, through its Processing Solutions
segment, is the sponsoring bank that handled TJX’s credit card transactions during the relevant
period. Fifth Third is the nation’s fourth largest credit card processor, and has more than $100
billion in assets.
OPERATIVE FACTS
I. TJX’s Data Breach and Defendants’ Violations of Payment Card Industry Standards
24. TJX purports to be the leading off-price apparel and home fashion retailer in the
United States and worldwide, with $17 billion in revenues during fiscal year 2006. Its stock
trades on the New York Stock Exchange under the symbol TJX.
25. TJX’s computer systems which maintain customer information for all of its retail
stores are located at its headquarters in Massachusetts, and the security breach also occurred
there.
6
26. As reported, the security breach that occurred at TJX represents the largest
27. On January 17, 2007, TJX first publicly announced that it had been hit by a wide-
reaching security breach that may leave millions of its customers around the world exposed to
fraud and identity theft from transactions dating back to 2003. TJX’s press release stated, in
relevant part:
The TJX Companies, Inc. (NYSE: TJX) today announced that it has
suffered an unauthorized intrusion into its computer systems that process and
store information related to customer transactions. While TJX has specifically
identified some customer information that has been stolen from its systems, the
full extent of the theft and affected customers is not yet known. This intrusion
involves the portion of TJX’s computer network that handles credit card, debit
card, check, and merchandise return transactions for customers of its T.J. Maxx,
Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and
its Winners and HomeSense stores in Canada, and may involve customers of its
T.K. Maxx stores in the U.K. and Ireland. . . .
...
Through its investigation, TJX has learned the following with respect to the
intrusion:
...
7
• To date, TJX has been able to specifically identify a limited number of
credit card and debit card holders whose information was removed from
its system and is providing this information to the credit card companies.
In addition, TJX has been able to specifically identify a relatively small
number of customer names with related drivers’ license numbers that were
also removed from its system, and TJX is contacting these individuals
directly.
28. TJX’s press release also stated that TJX discovered the intrusion in “mid-
December, 2006.” Nevertheless, TJX delayed announcing the intrusion until approximately one
month later, when it issued its January 17, 2007 press release. Notably, TJX delayed announcing
the breach until after the busy holiday shopping season, the period in which the greatest amount
of shopping occurs and the greatest amount of revenue is earned by TJX, relative to its other
financial quarters.
29. TJX’s press release further stated that after the security breach occurred, the
Company “significantly strengthened the security of its computer systems.” TJX did not specify
30. On its website, in a section titled “Frequently Asked Questions” concerning the
security breach, TJX stated that the drivers’ license numbers that were stolen were received in
transactions in which merchandise was returned without a receipt. The Company noted the
possibility that some customers’ drivers’ license numbers may be the same as their social security
numbers.
31. On January 19, 2007, The Wall Street Journal reported that the security breach
8
“exposed millions of consumers to potential fraud.” It stated that the number of exposed cards
could exceed 40 million, citing representatives from Visa. The article also stated that “‘patterns
of counterfeit fraud have been reported on some of the affected accounts,’” quoting a letter from
Visa.
32. The January 19, 2007 Wall Street Journal article also stated that U.S. retailers
including TJX are required to follow “stringent card-industry rules,” described as follows:
The rules that cover transactions on cards branded with logos from Visa,
MasterCard International Inc., American Express Co. and Discover
Financial Services, require merchants to validate a series of security
measures, such as the establishment of firewalls to protect databases.
Among other things, merchants are prohibited from storing unprotected
cardholder information.
....
People familiar with the situation have said that TJX doesn’t comply with
those requirements.
33. The applicable “card-industry rules” that were violated include, among other
things, Payment Card Industry (PCI) Data Security Standards, and similar regulations issued by
34. As further reported in The Wall Street Journal on May 4, 2007, during a routine
audit of TJX which took place in or around September 2006, an auditor informed TJX that it was
not complying with many of the requirements imposed by Visa and MasterCard. In addition, as
reported, experts confirmed that TJX’s practices violated credit card industry guidelines.
35. According to an article in The Boston Globe dated March 13, 2007, “MasterCard
International Inc. has acknowledged that TJX failed to meet a data-security standard set by card
9
36. Defendants violated PCI standards including but not limited to the following:
cardholder data.” Defendants violated this requirement as evidenced by the January 19, 2007
Wall Street Journal article noting TJX’s noncompliance with firewall requirements. Another
article in the Wall Street Journal dated May 4, 2007, discussed below, noted that TJX “failed to
requirement as evidenced by, inter alia, the fact that an unauthorized intruder was able to
repeatedly access cardholder data from TJX’s computer systems over a fourteen month period.
public networks.” Defendants violated this requirement because, as discussed below, TJX
disclosed that it did not encrypt payment card and check transaction information prior to April 7,
2004 and possibly even after April 7, 2004. Moreover, as discussed below, The Wall Street
Journal reported on May 4, 2007 that TJX “failed to install . . . data encryption on many of its
computers.” The same article reported that TJX transmitted unencrypted credit and debit card
information to banks during the approval process for card transactions, and this lack of
37. Visa issues “Visa U.S.A. Operating Regulations” (“Visa Operating Regulations”).
MasterCard issues regulations that are contained in “MasterCard International Bylaws and
Authorization System Manual,” “MasterCard International Payment Card Industry Data Security
10
Operating Regulations”). The Visa Operating Regulations and MasterCard Operating
38. The Card Operating Regulations governed the conduct of Defendants at all times
herein. Fifth Third has a contract with Visa and a contract with MasterCard that requires Fifth
Third to comply with the Card Operating Regulations. TJX has a contract with Fifth Third that
39. Defendants are required to comply with the Card Operating Regulations,
including portions that mandate safeguarding of cardholder information and prohibit storage of
40. Defendants violated Card Operating Regulations, including but not limited to the
following:
“Account, Cardholder and Transaction Data Must Be Kept Secure,” which states:
Defendants violated this requirement because they failed to maintain customer information in a
“secure manner so as to prevent access by . . . any authorized party.” Defendants also failed to
11
“Storage of Account, Cardholder, and Transaction Data,” which states:
Defendants violated this requirement because they failed to store cardholder information in a
secure environment to which access was limited. Defendants also stored cardholder information
for longer than necessary to complete the bona fide purpose for which the information was
obtained. For example, as discussed below, TJX stored cardholder information for up to two
41. At all times relevant hereto, TJX knew or should have known that the Card
Operating Regulations required it to secure and keep confidential Visa and MasterCard
cardholder information and magnetic stripe information from unauthorized disclosure, as set out
42. At all times relevant hereto, TJX knew or should have known that the Card
Operating Regulations forbade it from retaining or storing cardholder information longer than
necessary.
43. Fifth Third’s contracts with TJX and Visa and MasterCard, and Defendants’
involvement in this complex web of interrelated financial institutions, required that Defendants:
(a) comply with the Card Operating Regulations; (b) properly secure Visa and MasterCard
cardholder information; (c) not retain or store such information subsequent to processing of a
transaction; and (d) not disclose such information to unauthorized third parties. Defendants
44. On February 21, 2007, TJX issued a press release providing additional details
12
about TJX’s security breach and internal investigation. The press release disclosed that the time
period in which the affected customer transactions occurred had expanded from previous
estimates, and the time period during which the hackers accessed TJX’s computer systems had
expanded from previous estimates. The press release also stated that TJX found additional
drivers’ license numbers together with related names and addresses that it believed were
compromised.
45. On March 28, 2007, TJX filed with the SEC its Form 10-K for fiscal year 2006.
various points “from December 31, 2002 through mid-May 2006” and “during portions of
mid-May [2006] through December 18, 2006,” a combined period of four years;
b. The hackers gained access “in July 2005, on subsequent dates in 2005 and
from mid-May 2006 to mid-January 2007,” meaning that the actual intrusions occurred
Framingham, MA that processes and stores information related to payment card, check
and unreceipted merchandise return transactions for customers of our T.J. Maxx,
Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and our
d. TJX identified a limited number of the credit and debit cards for which
information was believed stolen. The identified cards totaled 45,732,000, comprised of
30,708,000 cards that had expired numbers at the time of the theft and 15,024,000 cards
that had unexpired numbers at the time of the theft. (As reported by The Washington
13
Post on March 30, 2007, “[e]xpired cards can still be at risk because they are often
returns of merchandise without receipts and in some check transactions in our U.S.,
Puerto Rican and Canadian stores (other than Bob’s Stores). In some cases, this personal
information included drivers’ license, military and state identification numbers (referred
to as “personal ID numbers”), together with related names and addresses, and in some of
those cases, we believe those personal ID numbers were the same as the customers’ social
security numbers.”;
names and addresses (and in some cases social security numbers) were stolen. This
included 451,000 customers who returned goods “primarily during the last four months of
2003” at T.J. Maxx, Marshalls, and HomeGoods (but not A.J. Wright), and 3,600
between approximately half to substantially all of the transactions at U.S., Puerto Rican
and Canadian stores during the period from December 31, 2002 through June 28, 2004.”;
h. “The . . . files stolen in 2006 could have included . . . data relative to some
customer transactions from December 31, 2002 through mid-May 2006 . . . .”;
during the card issuer’s approval process when approving credit and debit card
transactions: “the technology utilized in the Computer Intrusion during 2006 could have
14
enabled the Intruder to steal payment card data from our Framingham system during the
payment card issuer’s approval process, in which data (including the track 2 data) is
transmitted to payment card issuers without encryption.” As discussed below, The Wall
Street Journal reported on May 4, 2007 that the lack of encryption during this process
j. TJX did not encrypt payment card and check transaction information prior
to April 7, 2004 and possibly even after April 7, 2004: “For transactions after April 7,
2004 our Framingham system also generally [but not always] began encrypting (meaning
substituted characters for the actual characters using an encryption algorithm provided by
our software vendor) all payment card and check transaction information.”;
k. Even data encrypted by TJX may be at risk: “Further, we believe that the
Intruder had access to the decryption tool for the encryption software utilized by TJX.”;
and
approximately two years from 2004 to 2006, significantly longer than necessary to
complete the business purpose for which the information was obtained: “[W]e identified
the customer data that we believe were stolen in 2006. This information was contained in
two files apparently created in connection with computer systems problems in 2004 and
2006.”
46. On March 29, 2007, The Boston Globe reported that six people were arrested for
using credit card numbers stolen from TJX to buy more than $8 million worth of goods:
Six people arrested and charged with participating in a crime ring that used
15
credit card numbers stolen from TJX Cos. of Framingham to buy more than $8
million worth of electronics at Wal-Mart and Sam’s Club stores across Florida
face arraignment this morning in Jacksonville. . . .
....
....
Specifically, police allege that the individuals, six of whom have been
arrested, made or obtained fake credit cards with real account information on TJX
customers taken from its computers. They allegedly used the credit cards to buy
gift cards from Wal-Mart and Sam’s Club and then allegedly used the cards at
stores throughout Florida to buy more than $8 million worth of electronic goods
such as computers and big-screen televisions, returning the goods in some cases
for cash.
47. On May 4, 2007, The Wall Street Journal reported that the hackers gained access
through TJX’s outdated wireless network. The article pointed out numerous deficiencies in
. . . . The TJX hackers also got personal information such as driver's license
numbers, military identification and Social Security numbers of 451,000
customers -- data that could be used for identity theft. . . . TJX deleted its own
copies of the records stolen by the hackers and can't crack the encryption on files
16
that the hackers left in its system.
....
The ease and scale of the fraud expose how poorly some companies are
protecting their customers’ data on wireless networks, which transmit data by
radio waves that are readily intercepted.
....
....
. . . . [The hackers] first tapped into data transmitted by hand-held equipment that
stores use to communicate price markdowns and to manage inventory. “It was as
easy as breaking into a house through a side window that was wide open,”
according to one person familiar with TJX’s internal probe. The devices
communicate with computers in store cash registers as well as routers that
transmit certain housekeeping data.
After they used that data to crack the encryption code the hackers digitally
eavesdropped on employees logging into TJX’s central database in Framingham
and stole one or more user names and passwords, investigators believe. With that
information, they set up their own accounts in the TJX system and collected
transaction data including credit-card numbers into about 100 large files for their
own access. They were able to go into the TJX system remotely from any
computer on the Internet, probers say.
While the hackers were stealing the data, they were selling it on the
Internet on password-protected sites used by gangs who then run up charges using
fake cards printed with the numbers, investigators say.
....
As the stolen TJX numbers were being used in Florida, the company was
getting a stern warning about its poor security from a routine audit. The auditor
told the company last Sept. 29 [2006] that it wasn’t complying with many of
the requirements imposed by Visa and MasterCard, according to a person
familiar with the report. The auditor’s report cited the outmoded WEP
encryption and missing software patches and firewalls.
Then on Dec. 18, another auditor found anomalies in the company’s card
data. At that point, TJX hired forensics experts from International Business
Machines Corp. and General Dynamics Corp. and notified the U.S. Secret
Service, which spent a month trying to catch the hackers in the act. . . .
On Jan. 17, the company announced its systems had been hacked, affecting
“a limited number of credit and debit card holders.” . . .
(Emphasis added.)
48. Notably, Defendants were on notice as early as 2001 that TJX’s wireless system
and encryption technology were flawed and could easily be pierced. Defendants knew a more
secure system was available in 2003, yet Defendants failed to implement a strengthened system.
Defendants were also on notice that many of TJX’s computers lacked firewalls and data
49. TJX failed to detect the data intrusion in a timely manner. The intrusion first
occurred at least as early as July 2005, continued throughout 2005, and occurred again from mid-
May 2006 forward. However, TJX did not detect the intrusion until mid-December 2006, a delay
18
of eighteen months after the initial intrusion. Had TJX employed effective system monitoring
controls, it would have detected the security breach in a more timely manner.
50. Defendants’ failure to comply with industry standards and regulations, the
magnitude of the data breach (the largest in history), the lengthy period during which the
intrusions occurred (beginning at least as early as July 2005 and occurring over at least a fourteen
month period), the lengthy period in which the compromised transactions took place (four years
from December 31, 2002 forward), and the significant delay between the date of the first
intrusion in July 2005 and the date TJX finally discovered the intrusion in December 2006
(eighteen months), all serve as concrete evidence of Defendants’ negligence and other wrongful
conduct in failing adequately to safeguard and monitor TJX’s computer systems to ensure the
the data theft. TJX disclosed the following in its fiscal 2006 Form 10-K:
....
TJX also has been advised that the Federal Trade Commission (“FTC”)
is investigating the Computer Intrusion to determine whether the Company may
have violated federal law regarding consumer protection and related matters.
52. The security breach is also being investigated by the U.S. Department of Justice,
the U.S. Secret Service, and the U.S. Attorney’s Office in Boston, among other law enforcement
53. Fifth Third Bancorp is the sponsoring bank that handled TJX’s credit and debit
card transactions during the relevant time period. In that role, Fifth Third carried out transactions
that began at the checkout counter, passed through card association networks - such as those of
Visa or Mastercard - went to the cardholder’s issuing bank for approval, and ended with the
54. As discussed above, Fifth Third has a contract with Visa and a contract with
MasterCard that requires Fifth Third to comply with the Card Operating Regulations. Also, Fifth
Third has a contract with TJX that requires TJX to comply with the Card Operating Regulations.
55. According to a New York Times article dated January 19, 2007, Fifth Third, as
the sponsoring bank that handles TJX’s accounts, is “responsible for ensuring that the retailer
56. Referencing Fifth Third, The Wall Street Journal reported on January 19, 2007
that “TJX Cos. might not be the only company on the hook for a security breach that has exposed
millions of consumers to potential fraud.” The article pointed out that because of Fifth Third’s
involvement with credit card processing at TJX, “[b]ased on card-industry rules, that means Fifth
Third likely will be first in line if Visa USA Inc. and MasterCard Inc. levy fines for the breach.”
57. Fifth Third had a duty to ensure that TJX met applicable industry data security
standards, including but not limited to the PCI standards and Card Operating Regulations
discussed above. Fifth Third failed to ensure TJX’s compliance, and Fifth Third breached its
duty.
20
58. Plaintiff Anne Cohen frequently shops at Marshalls. She used her debit card at
Marshalls in November and December 2006, among other months. She also used her debit card
at HomeGoods in November 2006. On or around January 21, 2007, she tried to use her debit
card at an ATM machine. The machine retained her card because the card had been deactivated.
She did not previously know the card was deactivated. She called her bank, Rondout Savings
Bank, which told her the card was on TJX’s list of cards that were compromised during the
security breach. Her bank cancelled the card as a result. She received a replacement card with a
new number approximately two weeks later. She also received a letter from her bank dated
February 6, 2007 implicating TJX for the breach of her card and stating: “Published reports
indicate information that may have been compromised include your name, debit card number,
59. Plaintiff Cohen had several automatic bill-pay transactions linked to her debit
card, including but not limited to her monthly telephone service and health club membership.
Due to the deactivation of her card, of which she was unaware, several vendors were unable to
process their billing transactions. One vendor charged her a $20 penalty because the vendor was
unable to extract the required payment. After she learned of the deactivation, Plaintiff Cohen
spent considerable time instructing vendors not to use her deactivated debit card number any
longer, paying vendors via an alternate method while awaiting receipt of her new card, and re-
establishing electronic links to her new debit card after the new card was received.
60. Due to the unavailability of a debit card for two weeks, Plaintiff Cohen was
inconvenienced in several ways. She was forced to travel to her bank’s branch office on
numerous occasions to withdraw cash. She was also forced to leave work during the workday to
arrive at the bank during banking hours. Further, she was forced to carry large sums of cash on
21
hand on numerous occasions (an unusual and uncomfortable feeling), particularly during an out-
61. Plaintiff Cohen also tried to return certain holiday gifts at two retail stores, but the
stores would not refund her money because the debit card she used to purchase the items was no
longer active. The retailers instead issued her a store credit. This was an inconvenience and
caused financial harm to Plaintiff Cohen because she wanted to use some or all of the refunded
62. Plaintiff Cohen has also returned merchandise at Marshalls without a receipt.
Thus, she may be among the people whose drivers’ license information, name, and address were
63. Plaintiff ACohen Marketing & Public Relations, LLC uses a debit card that is
separate and distinct from Plaintiff Anne Cohen’s personal debit card. Plaintiff Anne Cohen
used ACohen’s debit card to make purchases at Marshalls in at least November and December
2006. On or around January 24, 2007, Anne Cohen tried using ACohen’s debit card for a
transaction, but the card did not work. Anne Cohen called ACohen’s bank, Rondout Savings
Bank, which told her the card was on TJX’s list of cards that were compromised during the
security breach. The bank cancelled the card as a result. ACohen received a replacement card
with a new number approximately two weeks later. Anne Cohen also received a letter from the
bank dated February 6, 2007 implicating TJX for the breach of ACohen’s card and stating:
“Published reports indicate information that may have been compromised include your name,
debit card number, and magnetic stripe information associated with your debit card.”
64. Plaintiff ACohen had several automatic bill-pay transactions linked to its debit
card. After the card was deactivated, ACohen spent considerable time instructing vendors not to
22
use the deactivated card number, paying vendors via an alternate method while awaiting receipt
of the replacement card, and re-establishing electronic links to the new debit card after the new
65. The deactivation of ACohen’s debit card also interrupted ACohen’s business
while ACohen awaited receipt of a replacement card. ACohen was unable to order certain
services on behalf of its clients, and ACohen was unable to order certain goods for the business.
66. Plaintiff Julie Buckley has been a regular customer of TJX’s stores for many
years, and has used both her debit card and her drivers’ license when transacting business with
TJX.
67. On January 18, 2007, she was informed that her debit card information had been
stolen from TJX and that her credit union had preemptively cancelled her card, leaving her
68. Plaintiff Buckley contacted TJX over the telephone. TJX’s employees refused to
provide additional information, to take responsibility for the situation, or to provide any
assistance other than to suggest that Plaintiff Buckley monitor her accounts herself for identity
theft. TJX’s employees refused Plaintiff Buckley’s request that TJX provide her with an identity
theft monitoring service. Plaintiff Buckley has been unable to determine whether her drivers’
69. Plaintiff LaQuita Kearney returned merchandise at TJX stores without a receipt,
including but not limited to HomeGoods, T.J. Maxx, and Marshalls. She received a letter from
We reported in January 2007 that there had been an unauthorized intrusion into
our computer systems. As more recently reported, our investigation subsequently
found additional information that we believe was compromised in the intrusion.
23
We are writing to notify you that your name, address and driver’s license number
were among the information we believe was compromised.
70. As a precautionary measure, Plaintiff Kearney requested her free annual credit
report. However, prior to becoming aware of the identity theft, Plaintiff Kearney had already
requested and received her free credit report for this year and was therefore forced to pay $14 for
a second credit report to monitor her account statements. After reviewing her credit report,
Plaintiff Kearney noticed inquiries for cell phone service and an American Express card that she
71. As a further precautionary measure, Plaintiff Kearney also contacted her local
Department of Motor Vehicles (“DMV”) to obtain a new driver’s license number. Even though
Plaintiff Kearney showed the DMV the March 31, 2007 letter from TJX, the DMV indicated that
they could not help her because the situation was not something that required her information to
be changed. Thus, due to TJX’s security breach, Plaintiff Kearney has been exposed to a
substantial and continuing risk of identity theft since she still has the same driver’s license
72. In addition, Plaintiff Kearney separately received a letter from her bank stating
that her debit card may have been compromised in a recent nationwide breach of card
information involving TJX Companies, Inc. While no fraudulent charges had been made, the
bank issued her a new card and cancelled her old card.
73. The TJX security breach has been a significant inconvenience to Plaintiff Kearney
74. Plaintiff Laura Lerner returned merchandise at TJX stores without a receipt,
including but not limited to HomeGoods, T.J. Maxx, and Marshalls. She received a letter from
24
TJX dated January 24, 2007 stating:
. . . I regret to report to you that there has been an unauthorized intrusion into
our computer systems that process and store information related to customer
transactions for our T.J. Maxx, Marshalls, Homegoods and A.J. Wright stores
in the U.S. We have specifically identified a relatively small number of
customer names and addresses with related driver’s license numbers that were
stolen from our computer systems, and we are writing to notify you that your
information was among the data stolen.
75. Plaintiff Lerner received a similar letter from TJX dated March 31, 2007. It is
unclear whether the latter letter references the same data theft as the prior letter or a second data
76. Plaintiff Lerner’s driver’s license number was the same as her social security
number. Thus, due to TJX’s security breach, she has been exposed to a substantial and
continuing risk of identity theft. As a precautionary measure, Plaintiff Lerner has placed a 90-
day fraud alert on her credit report. She also obtained a new driver’s license with a license
number that is different from her social security number. She paid a $20 fee to obtain the new
license. In addition, the TJX security breach has been a significant inconvenience to Plaintiff
77. Plaintiff Robert Mann shopped at T.J. Maxx and HomeGoods frequently,
including but not limited to in December 2006. He generally used his debit card for purchases at
these stores. In late January 2007, he tried to use his debit card for a transaction, but the
transaction failed. He checked his account on-line and saw that approximately 110 fraudulent
transactions had occurred, or were attempted, on his card during a four-day period from January
24, 2007 to January 27, 2007. Several of the charges were similar in description to fraudulent
charges reported in the media and on the internet by other victims of the TJX security breach,
including but not limited to charges at WalMart and charges in foreign countries. There were
25
thousands of dollars of fraudulent transactions on Plaintiff Mann’s account. His bank
78. Plaintiff Mann took two days off from work, without pay, to investigate and
address the fraudulent charges on his account. As a result of his efforts, his bank ultimately
agreed to reverse the charges. Plaintiff Mann lost the use of his debit card for approximately one
week between the date his old card was cancelled and the date his new card was activated. This
was a significant inconvenience because he was forced to travel to a bank branch to withdraw
and carry large sums of cash. Further, as a precaution, Plaintiff Mann cancelled several of his
other credit cards and ordered replacement cards with new card numbers. This was inconvenient
79. Plaintiff Jitka Parmet shops frequently at Marshalls, T.J. Maxx and Homegoods,
and specifically made purchases with her MasterCard there in May and June of 2006.
80. In January 2007, Plaintiff Parmet was attempting to make a retail purchase when
her MasterCard was rejected. Although she was able to make the purchase with a different card,
81. Plaintiff Parmet was informed by her credit card company that several hundred
dollars of online purchases had been made on her card, and, because she does not typically shop
online, the card company had flagged her account. The company ultimately cancelled her
account and issued her a new card. Plaintiff Parmet spent considerable time to challenge these
online purchases, which she did not make. As a result of her efforts, the charges were reversed.
The charges occurred on December 18, 2006. TJX publicly disclosed that it discovered the
intrusion into its computer systems in “mid-December, 2006.” It is possible that if TJX had
announced the theft immediately, Plaintiff Parmet might have been able to cancel her card before
26
these charges were incurred.
82. Because Plaintiff Parmet has used her MasterCard at TJX’s stores, and has no
knowledge of any other likely way that her card information was otherwise compromised, she
83. Plaintiff Parmet separately received a letter from her credit union stating that her
Visa debit card “may have been compromised in a recent nationwide breach of card information
involving TJX Companies, Inc.” While no fraudulent charges had been made, the credit union
issued her a new card and cancelled her old card, which was an inconvenience to Plaintiff
Parmet.
84. Plaintiff Kimberly Myck-Rawson shopped at a T.J. Maxx store in Bend, Oregon
on several occasions in the latter part of 2006. She has used her Visa debit card and her Visa
85. Plaintiff Myck-Rawson’s husband was contacted by the couple’s credit union on
January 19, 2007 and informed that a thief had attempted to use her debit card and that the credit
86. Plaintiff Myck-Rawson contacted her credit union and was told that a local
merchant’s computer system had been compromised and her financial information had been
stolen. However, the credit union stated that, at the request of Visa, it would not reveal the name
of the merchant. After several emotionally stressful days of attempting to learn more information
from Visa and from her credit union, Plaintiff Myck-Rawson was finally informed by her credit
obtain cash from ATM machines until she received a new debit card.
27
88. Because Plaintiff Myck-Rawson also used her Visa credit card at TJX’s stores,
she has cancelled that card and has received a replacement. This process has caused her further
inconvenience.
89. Plaintiff Deborah Wilson has been shopping at TJX stores for over twenty-one
years and has returned merchandise at T.J. Maxx without a receipt. She received a letter from
We reported in January 2007 that there had been an unauthorized intrusion into
our computer systems. As more recently reported, our investigation subsequently
found additional information that we believe was compromised in the intrusion.
We are writing to notify you that your name, address and driver’s license number
were among the information we believe was compromised.
90. As a precautionary measure, Plaintiff Wilson contacted her local DMV for
information about what procedures to follow in order to protect against possible identity fraud.
The DMV, however, provided no assistance to Plaintiff Wilson and in fact, informed Plaintiff
Wilson that her driver’s license information could not be changed. Thus, as a result of TJX’s
security breach, Plaintiff Wilson has been exposed to a substantial and continuing risk of identity
theft since she still has the same driver’s license information as prior to the security breach.
Additionally, the TJX security breach has been a significant inconvenience to Plaintiff Wilson
91. Plaintiff Kathleen Robinson used her Mastercard to purchase items from T.J.
Maxx on several occasions during 2006, including but not limited to the following dates: August
8, 2003; August 16, 2003; January 24, 2004; April 10, 2004; May 29, 2004; August 15, 2004;
February 11, 2006; May 5, 2006; June 4, 2006; and August 16, 2006. Additionally, Plaintiff
Robinson returned products purchased with her Mastercard to T.J. Maxx on January 20, 2003
2003 to August 2006, TJX stored within its computer system and was in possession of Plaintiff
Robinson’s private, non-public personal and financial information from July 2005 to January
2007.
93. Plaintiff Robinson’s private, non-public personal and financial information has
94. Plaintiff Shannon Kidd shopped at TJX stores using a credit card, and her
95. Plaintiff Mary Robb Farley is a Marshalls customer. She made credit card
transactions at Marshalls during the period that TJX announced its computer system had been
compromised.
96. As a result of Defendants’ conduct, Plaintiffs and Class members have had their
financial and personal information stolen or compromised, have had their privacy rights violated,
have been exposed to the risk of fraud and identity theft, and have suffered other damages.
97. Plaintiffs and Class members have spent, and will continue to spend, considerable
time to monitor their accounts and/or credit histories for fraudulent activity in seeking to prevent
98. Plaintiffs and Class members have also incurred out-of-pocket losses for items
including but not limited to fraudulent charges on their accounts (to the extent not reversed by
their banks), credit monitoring and credit card monitoring services, identity theft insurance, costs
to obtain credit reports, late fees and penalties charged by vendors that were expecting timely
payment through debit and credit cards but didn’t receive payment when cardholders’ cards were
cancelled, unpaid time off from work, notary fees incurred in submitting affidavits to dispute
29
fraudulent charges, and wire fees for funds wired to Class members who were out of town when
99. Further, a significant number of Class members have paid fees to change their
drivers’ license number. The Massachusetts Registry of Motor Vehicles website, in a section
expressly addressed to TJX customers whose drivers’ license information was compromised,
encourages affected customers to change their drivers’ license number. A $20 fee is assessed for
100. Class members have also been burdened by the need to place a fraud alert on their
credit file and/or drivers’ license number. TJX, through its website and letters to certain affected
consumers, encouraged customers to place a fraud alert on their credit file and/or drivers’ license
number. Placing a fraud alert requires customers to spend considerable time formally requesting
the fraud alert. Further, with respect to drivers’ license numbers, once a fraud alert is in place,
the fraud alert requires the licensee to undergo burdensome and time-consuming steps to perform
future license-related transactions. For example, the Massachusetts Registry of Motor Vehicles
30
The need to appear in person to perform routine license-related transactions that could
a. out-of-pocket loss for, inter alia, fraudulent charges on their accounts (to
the extent not reversed by banks), the cost of credit monitoring and/or credit card
monitoring services, the cost of identity theft insurance, costs to obtain credit reports, fees
charged by vendors that were expecting timely payment through debit and credit cards but
didn’t receive payment, unpaid time off from work, notary fees, wire fees, and fees to
b. loss of control of their credit and debit card, Personal ID, and check
information;
d. the burden of closely scrutinizing account statements and credit reports for
unauthorized activity;
f. the burden and consequences of placing a fraud alert on their credit file
102. The Class is also entitled to injunctive relief including but not limited to: (i) the
provision of credit monitoring and/or credit card monitoring services (to the extent not already
paid for by Class members); (ii) the provision of identity theft insurance (to the extent not already
paid for by Class members); and (iii) the requirement that TJX enhance the security of its
computer system to minimize the likelihood of intrusions in the future. Injunctive relief is
required because money damages alone are insufficient to redress the irreparable harm that Class
103. Plaintiffs bring this class action, pursuant to Federal Rule of Civil Procedure 23(a)
and (b)(3), on behalf of themselves and all others similarly situated (the “Class”), defined as
follows:
All persons or entities in the United States (including the District of Columbia),
Puerto Rico or Canada who shopped at TJX stores in the United States, Puerto
Rico or Canada, made a purchase or return, have had or allege having had
personal or financial data stolen or placed at risk of being stolen from TJX’s
computer systems, and who were or may be damaged thereby or who allege
damage therefrom.
Excluded from the Class are TJX, Fifth Third, and their respective officers and directors.
104. The Class consists of millions of customers of TJX’s retail stores located
throughout Massachusetts and the United States, as well as Puerto Rico and Canada. Based on
TJX’s admission that millions of customer accounts have been compromised, the Class is so
32
financial data and in failing to notify customers of the security breach as soon as practical after
106. Questions of law and fact common to all Class members predominate over any
questions affecting only individual members. Such questions of law and fact common to the
Class include:
g. whether Plaintiffs and the Class have been damaged, and, if so, what types
107. Plaintiffs’ claims, as described herein, are typical of the claims of all Class
members, as the claims of Plaintiffs and all Class members arise from the same set of facts
regarding Defendants’ failure to protect Class members’ personal and financial data. Plaintiffs
maintain no interests that are antagonistic to the interests of other Class members.
33
108. Plaintiffs are committed to the vigorous prosecution of this action and have
retained competent counsel experienced in the prosecution of class actions of this type.
Accordingly, Plaintiffs are adequate representatives of the Class and will fairly and adequately
109. This class action is a fair and efficient method of adjudicating the claims of
would likely create a risk of inconsistent or varying adjudications with respect to individual
members of the Class thereby establishing incompatible standards of conduct for Defendants or
would allow some Class members’ claims to adversely affect other Class members’ ability to
c. this forum is appropriate for litigation of this action since the causes of
eliminate the possibility of repetitious litigation, while also providing redress for claims that may
110. For these reasons, a class action is superior to other available methods for the fair
COUNT I: NEGLIGENCE
34
(As To All Defendants)
111. Plaintiffs repeat and re-allege the allegations contained in the foregoing
112. Defendants assumed a duty, and had duties imposed upon them by regulations, to
use reasonable care to keep Class members’ credit and debit card, Personal ID, and check
transaction information private and secure. By their acts and omissions described herein,
Defendants unlawfully breached this duty. The Class was damaged thereby.
113. The private information of the Class that was stolen or compromised by the
breach of TJX’s security includes, without limitation, information that was being improperly
stored and inadequately safeguarded in violation of, among other things, industry rules and
regulations. According to The Wall Street Journal on January 19, 2007, “[p]eople familiar with
the situation have said that TJX doesn’t comply with those [industry] requirements.” As further
reported in The Wall Street Journal on May 4, 2007, according to auditors of TJX as well as
industry experts, Defendants failed to comply with specific industry standards governing the
114. More specifically, Defendants failed to comply with PCI standards including but
cardholder data.” Defendants violated this requirement as evidenced by the January 19, 2007
Wall Street Journal article noting TJX’s noncompliance with firewall requirements. Another
article in the Wall Street Journal dated May 4, 2007 noted that TJX “failed to install firewalls . . .
repeatedly access cardholder data from TJX’s computer systems over a fourteen month period.
public networks.” Defendants violated this requirement because TJX disclosed that it did not
encrypt payment card and check transaction information prior to April 7, 2004 and possibly even
after April 7, 2004. Moreover, The Wall Street Journal reported on May 4, 2007 that TJX “failed
to install . . . data encryption on many of its computers.” The same article reported that TJX
transmitted unencrypted credit and debit card information to banks during the approval process
for card transactions, and this lack of encryption violated credit card industry guidelines
according to experts.
115. Defendants also failed to comply with Card Operating Regulations, including but
“Account, Cardholder and Transaction Data Must Be Kept Secure,” which states:
Defendants violated this requirement because they failed to maintain customer information in a
“secure manner so as to prevent access by . . . any authorized party.” Defendants also failed to
Defendants violated this requirement because they failed to store cardholder information in a
secure environment to which access was limited. Defendants also stored cardholder information
for longer than necessary to complete the bona fide purpose for which the information was
obtained. For example, TJX stored cardholder information for up to two years, significantly
116. The PCI standards and Card Operating Regulations created a duty of reasonable
care and a standard of care that Defendants violated. Defendants’ violations of those standards
117. According to The New York Times on January 19, 2007, Defendant Fifth Third
Bank is the “sponsoring bank that handles TJX’s accounts, which makes it responsible for
ensuring that the retailer [TJX] met the industry’s data security standards.” Fifth Third breached
its duty to ensure that TJX met applicable data security standards as discussed above.
118. The breach of security was a direct and proximate result of Defendants’ failure to
use reasonable care to implement and maintain appropriate security procedures reasonably
designed to protect the nonpublic information of the Class. This breach of security and resulting
Defendants, particularly (but not exclusively) in light of Defendants’ knowledge that TJX’s
119. Moreover, in June 2005, before the security breach at TJX, it was made public
37
that CardSystems Solutions Inc., a provider of credit card processing services, suffered a severe
security breach whereby a hacker accessed its computer systems and compromised nonpublic
information of approximately 40 million consumer credit card account holders. Given the well-
publicized data breach at CardSystems, Defendants TJX and Fifth Third were alerted to the risk
and potential impact of a data intrusion. Thus Defendants should have undertaken adequate
measures to assess or re-assess their computer systems, ensure compliance with industry data
120. Defendants were in a special fiduciary relationship with the Class by reason of
their entrustment with credit and debit card information, Personal ID information, and check
transaction information. By reason of this fiduciary relationship, Defendants had a duty of care
to use reasonable means to keep the nonpublic information of the Class private and secure.
121. Pursuant to Class members’ rights to privacy, Defendants had a duty to use
reasonable care to prevent the unauthorized access, use, or dissemination of Class members’
122. Defendants’ failure to comply with industry standards and regulations, the
magnitude of the data breach (the largest in history), the lengthy period during which the
intrusions occurred (beginning at least as early as July 2005 and occurring over at least a fourteen
month period), the lengthy period in which the compromised transactions took place (four years
from December 31, 2002 forward), and the significant delay between the date of the first
intrusion in July 2005 and the date TJX finally discovered the intrusion in December 2006
(eighteen months), all serve as concrete evidence of Defendants’ negligence and other wrongful
conduct in failing adequately to safeguard and monitor TJX’s computer systems to ensure the
38
security of its customers’ personal and financial data.
123. The compromise of the Class’ nonpublic information, and the resulting burden,
fear, anxiety, emotional distress, loss of time spent seeking to prevent or undo any further harm,
and other economic and non-economic damages to the Class were the direct and proximate result
124. Defendants also had a duty to publicly disclose the data compromise in a timely
manner. Timely public disclosure was required so that, among other things, Plaintiffs and Class
members could take appropriate measures to avoid unauthorized charges on their accounts,
cancel or change account numbers on compromised cards, change their drivers’ license numbers
or state and military identification numbers, and monitor their account information and credit
125. Defendants breached this duty by failing to notify the public in a timely manner
that information was compromised. TJX discovered the data intrusion in “mid-December,
2006,” but TJX did not announce the intrusion until approximately one month later on January
17, 2007. TJX delayed announcing the breach until after the busy holiday shopping season, the
period in which the greatest amount of shopping occurs and the greatest amount of revenue is
126. Class members were harmed by Defendants’ delay because, among other things,
fraudulent charges have been made to Class members’ accounts, and Class members have
incurred time and money to dispute the charges with their banks.
127. Defendants knew or should have known that TJX’s computer systems for
processing and storing credit and debit card, Personal ID, and check transaction information had
security vulnerabilities. Defendants were negligent in continuing such data processing and
39
storage in light of those vulnerabilities and the sensitivity of the data.
128. As a direct and proximate result of Defendants’ conduct, Class members suffered
damages including, but not limited to, those set forth in paragraphs 58-101 above.
129. Plaintiffs and Class members have not in any way contributed to the security
breach at TJX or to the compromise or theft of their personal and financial data.
130. Plaintiffs repeat and re-allege the allegations contained in the foregoing
131. Upon information and belief, Plaintiffs and the Class are third party beneficiaries
of contracts entered into between TJX and Fifth Third, and/or between Defendants and credit
card associations/networks. These contracts require that Defendants safeguard the personal and
132. Defendants breached these contracts, and, as a result of these breaches, Plaintiffs
133. Plaintiffs repeat and re-allege the allegations contained in the foregoing
134. When providing personal and financial information to TJX in order to transact
business at TJX’s retail stores, Plaintiffs and the Class entered into implied contracts with TJX
such that TJX would safeguard this information and notify them promptly of any and all theft of
this information.
40
135. Without such implied contracts, customers (including Plaintiffs and the Class)
would not have used their personal and financial information to transact business with TJX.
136. TJX breached these implied contracts, and, as a result of these breaches, Plaintiffs
137. This Count is brought by all Plaintiffs (excluding ACohen Marketing & Public
Relations, LLC) on behalf of all Class members other than those that engage in the conduct of
138. Said Plaintiffs repeat and re-allege the allegations contained in the foregoing
Plaintiffs and the Class (as limited above) for years, and Defendants’ failure to safeguard the
security of such information, as alleged above, constituted unfair or deceptive practices under
Massachusetts all or a substantial part of its computer systems containing such customer
information, and the security breach of its computer systems took place primarily and
substantially in Massachusetts.
141. Said Plaintiffs and the members of the Class (as limited above) have been
41
damaged as a result of Defendants’ unfair practices.
142. Defendants’ conduct was committed willfully, knowingly, in bad faith and in
143. Demand on behalf of the Class (as limited above) has been made upon Defendants
144. This Count is brought by Plaintiff ACohen Marketing & Public Relations, LLC on
behalf of all Class members that engage in the conduct of any trade or commerce as set forth in
145. Said Plaintiff repeats and re-alleges the allegations contained in the foregoing
146. Defendants’ retaining sensitive financial and personal information of Plaintiff and
the Class (as limited above) for years, and Defendants’ failure to safeguard the security of such
Massachusetts all or a substantial part of its computer systems containing such customer
information, and the security breach of its computer systems took place primarily and
substantially in Massachusetts.
42
148. Said Plaintiff and the members of the Class (as limited above) have been damaged
149. Defendants’ conduct was committed willfully, knowingly, in bad faith and in
150. Demand on behalf of the Class (as limited above) has been made upon Defendants
A. that this Court certify this action as a Class action pursuant to Federal Rule
of Civil Procedure 23(a) and (b)(3), and appoint Plaintiffs and their counsel to represent the
Class;
B. that this Court enter judgment in favor of Plaintiffs and the Class, and
C. that this Court award damages to Plaintiffs and the Class under the legal
D. that this Court award treble damages, attorneys’ fees and costs to Plaintiffs
and the Class under Mass. Gen. Law Chap. 93A §§ 9(3), 11;
E. that this Court award injunctive relief, including but not limited to: (i) the
provision of credit monitoring and/or credit card monitoring services for the Class; (ii) the
provision of identity theft insurance for the Class; and (iii) the requirement that TJX enhance the
security of its computer system to minimize the likelihood of intrusions in the future;
F. that this Court award attorneys’ fees, expenses, and costs of this suit;
43
G. that this Court award Plaintiffs and the Class pre-judgment and post-
H. that this Court award such other and further relief as it may deem just and
appropriate.
Plaintiffs, on behalf of themselves and the Class, demand a trial by jury on all issues so
triable.
44
Dated: December 20, 2007 Respectfully Submitted,
45
Certificate of Service
I hereby certify that this document filed through the ECF system will be sent
electronically to the registered participants as identified on the Notice of Electronic
Filing (NEF) and paper copies will be sent to those indicated as non registered
participants on December 20, 2007.
46