UNITED STATES DISTRICT COURT

DISTRICT OF MASSACHUSETTS

:
IN RE TJX COMPANIES RETAIL SECURITY : MASTER DOCKET
BREACH LITIGATION : Civil Action No. 07-10162-WGY
: (Lead Case)
(Including cases transferred pursuant to THE :
TJX COMPANIES, INC. CUSTOMER DATA : MDL Docket No. 1838
SECURITY BREACH LITIGATION) :
__________________________________________:
:
THIS DOCUMENT RELATES TO: :
CONSUMER TRACK ACTIONS :
:

AMENDED CONSOLIDATED CLASS ACTION COMPLAINT

Plaintiffs Anne Cohen, ACohen Public Relations, LLC (“ACohen”), Julie Buckley,

LaQuita Kearney, Laura Lerner, Robert Mann, Jitka Parmet, Kimberly Myck-Rawson, Deborah

Wilson, Kathleen Robinson, Shannon Kidd, and Mary Robb Farley (collectively “Plaintiffs”)

hereby bring this class action suit against TJX Companies, Inc. (“TJX” or the “Company”) and

Fifth Third Bancorp (“Fifth Third”) (collectively “Defendants”). Plaintiffs make the following

allegations based upon the investigation undertaken by Plaintiffs’ counsel, which included,

inter alia, review and analysis of TJX’s public filings with the Securities and Exchange

Commission (“SEC”), TJX’s press releases, Defendants’ websites, various news articles, and

filings in related legal proceedings.

Certain plaintiffs in the actions consolidated herein are not set forth as named plaintiffs

herein. Those plaintiffs are not waiving or dismissing any rights. The Plaintiffs named herein

are perfectly adequate to represent this Class and to assert the claims contained herein.
 NATURE OF THIS ACTION

1. Plaintiffs bring this class action suit on their own behalf and on behalf of all other

persons or entities in the United States, Puerto Rico, and Canada who shopped at TJX’s stores in

the United States, Puerto Rico, or Canada, made a purchase or return, and have had personal or

financial data stolen or compromised from TJX’s computer systems. This suit seeks to redress

Defendants’ failure to adequately safeguard consumers’ private financial and personal

information. As reported, the security breach at TJX represents the largest computer theft of

personal data in history. More specifically, this action arises from Defendants’ failure to

maintain adequate computer security of consumers’: (i) credit and debit card information; (ii)

drivers’ licenses, military, and state identification numbers, with related names and addresses and

sometimes containing social security numbers (collectively “Personal ID” information); and (iii)

check transaction information, all of which was accessed and stolen by computer hackers.

2. As reported in The Wall Street Journal on May 4, 2007, according to auditors of

TJX, as well as industry experts, Defendants failed to comply with specific industry standards

governing the security of credit card and other data. Reportedly, TJX’s “wireless network had

less security than many people have on their home networks.” As a result, consumer information

was stolen from TJX’s computer systems that handle a wide range of financial information for its

customers, including transactions involving credit cards, debit cards linked to checking accounts,

returned merchandise, and check transactions. As a result of Defendants’ wrongful conduct,

millions of TJX’s customers have had their financial and personal information stolen or

compromised, have had their privacy rights violated, have been exposed to fraud and identity

theft or at least the risk thereof, and have otherwise suffered damages.

2
 3. According to TJX, the hackers gained access into its systems “in July 2005, on

subsequent dates in 2005 and from mid-May 2006 to mid-January 2007,” meaning the security

breaches occurred during at least a fourteen month period. Inexplicably, TJX did not detect the

breach until mid-December 2006, eighteen months after the initial intrusion. TJX then waited

approximately one month to publicly announce the security breach on January 17, 2007.

Notably, TJX delayed announcing the breach until after the busy holiday shopping season, the

period in which the greatest amount of shopping occurs and the greatest amount of revenue is

earned by TJX and its subsidiaries, relative to its other financial quarters.

4. The compromised customer transactions took place at various points during a four

year period, from December 31, 2002 through December 18, 2006.

5. It has been reported that 45.7 million credit and debit cards have been

compromised, and 454,600 individuals’ Personal ID information has been compromised.

6. According to the May 4, 2007 Wall Street Journal article, TJX had an outdated

wireless network through which the hackers gained access. TJX had further computer

deficiencies, as it “failed to install firewalls and data encryption on many of its computers using

the wireless network, and didn't properly install another layer of security software it had bought.”

TJX also had “outmoded WEP encryption and missing software patches and firewalls.”

7. Defendants’ failure to comply with industry standards and regulations, the

magnitude of the data breach (the largest in history), the lengthy period during which the

intrusions occurred (beginning at least as early as July 2005 and occurring over at least a fourteen

month period), the lengthy period in which the compromised transactions took place (four years

from December 31, 2002 forward), and the significant delay between the date of the first

3
intrusion in July 2005 and the date TJX finally discovered the intrusion in December 2006

(eighteen months), all serve as concrete evidence of Defendants’ negligence and other wrongful

conduct in failing adequately to safeguard and monitor TJX’s computer systems to ensure the

security of its customers’ personal and financial data.

JURISDICTION AND VENUE

8. Jurisdiction of this Court is invoked pursuant to 28 U.S.C. § 1332(d), as the

matter in controversy exceeds $5 million, at least one Plaintiff has diverse citizenship from at

least one Defendant, and there are more than 100 class members.

9. Venue properly lies in this District pursuant to 28 U.S.C. § 1391(a)(2) because the

cause of action arose in this District, and the unlawful conduct of Defendants, out of which the

cause of action arose, took place in this District.

PARTIES

10. Plaintiff Anne Cohen resides in Kingston, New York. Plaintiff Cohen’s debit

card information was stolen from TJX’s computer systems, and she has been damaged as a result.

11. Plaintiff ACohen Marketing & Public Relations, LLC is headquartered in

Kingston, New York. Plaintiff Anne Cohen is the Principal of Plaintiff ACohen. ACohen’s

debit card information was stolen from TJX’s computer systems, and ACohen has been damaged

as a result.

12. Plaintiff Julie Buckley resides in Ann Arbor, Michigan. Plaintiff Buckley’s debit

card information was stolen from TJX’s computer systems, and she has been damaged as a result.

13. Plaintiff LaQuita Kearney resides in Memphis, Tennessee. Plaintiff Kearney’s

driver’s license number and other personal information were stolen from TJX’s computer

4
systems, and she has been damaged as a result.

14. Plaintiff Laura Lerner resides in Hopkinton, Massachusetts. Plaintiff Lerner’s

driver’s license number and other personal information were stolen from TJX’s computer

systems, and she has been damaged as a result.

15. Plaintiff Robert Mann resides in Pembroke, Massachusetts. Plaintiff Mann’s

debit card information was stolen from TJX’s computer systems, and he has been damaged as a

result.

16. Plaintiff Jitka Parmet resides in Camarillo, California. Plaintiff Parmet’s credit

and debit card information was stolen from TJX’s computer systems, and she has been damaged

as a result.

17. Plaintiff Kimberly Myck-Rawson resides in Redmond, Oregon. Plaintiff Myck-

Rawson’s debit card information was stolen from TJX’s computer systems. She also believes

that her credit card information may have been stolen from TJX’s computer systems. She has

been damaged as a result.

18. Plaintiff Deborah Wilson resides in Bedford, Ohio. Plaintiff Wilson’s driver’s

license number and other personal information were stolen from TJX’s computer systems, and

she has been damaged as a result.

19. Plaintiff Kathleen Robinson resides in Lake County, Illinois. Plaintiff Robinson’s

credit card information was stolen from TJX’s computer systems, and she has been damaged as a

result.

20. Plaintiff Shannon Kidd resides in Rosetown, Saskatchewan, Canada. Plaintiff

Kidd’s credit card information was stolen from TJX’s computer systems, and she has been

5
damaged as a result.

21. Plaintiff Mary Robb Farley resides in Puerto Rico. Plaintiff Farley’s credit card

information was stolen from TJX’s computer systems, and she has been damaged as a result.

22. Defendant TJX is a Delaware corporation with its headquarters at 770 Cochituate

Road, Framingham, Massachusetts, 01701. TJX operates approximately 2,000 retail stores in the

United States and Puerto Rico under such chains as T.J. Maxx, Marshalls, HomeGoods, A.J.

Wright, and Bob’s Stores. These stores are located in at least 48 states throughout the country,

including Massachusetts. TJX also operates approximately 250 retail stores in Canada under

such chains as Winners and HomeSense.

23. Defendant Fifth Third Bancorp is an Ohio corporation with its headquarters at 38

Fountain Square Plaza, Cincinnati, Ohio, 45263. Fifth Third, through its Processing Solutions

segment, is the sponsoring bank that handled TJX’s credit card transactions during the relevant

period. Fifth Third is the nation’s fourth largest credit card processor, and has more than $100

billion in assets.

OPERATIVE FACTS

I. TJX’s Data Breach and Defendants’ Violations of Payment Card Industry Standards

24. TJX purports to be the leading off-price apparel and home fashion retailer in the

United States and worldwide, with $17 billion in revenues during fiscal year 2006. Its stock

trades on the New York Stock Exchange under the symbol TJX.

25. TJX’s computer systems which maintain customer information for all of its retail

stores are located at its headquarters in Massachusetts, and the security breach also occurred

there.

6
 26. As reported, the security breach that occurred at TJX represents the largest

computer theft of personal data in history.

27. On January 17, 2007, TJX first publicly announced that it had been hit by a wide-

reaching security breach that may leave millions of its customers around the world exposed to

fraud and identity theft from transactions dating back to 2003. TJX’s press release stated, in

relevant part:

The TJX Companies, Inc. (NYSE: TJX) today announced that it has
suffered an unauthorized intrusion into its computer systems that process and
store information related to customer transactions. While TJX has specifically
identified some customer information that has been stolen from its systems, the
full extent of the theft and affected customers is not yet known. This intrusion
involves the portion of TJX’s computer network that handles credit card, debit
card, check, and merchandise return transactions for customers of its T.J. Maxx,
Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and
its Winners and HomeSense stores in Canada, and may involve customers of its
T.K. Maxx stores in the U.K. and Ireland. . . .

...

Through its investigation, TJX has learned the following with respect to the
intrusion:

• An unauthorized intruder accessed TJX’s computer systems that process

and store information related to customer transactions for its T.J. Maxx,
Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico
and its Winners and HomeSense stores in Canada.

...

• Portions of the information stored in the affected part of TJX’s network

regarding credit and debit card sales transactions in TJX’s stores
(excluding Bob’s Stores) in the U.S., Canada, and Puerto Rico during
2003, as well as such information for these stores for the period from mid-
May through December, 2006 may have been accessed in the intrusion.
TJX has provided the credit card companies and issuing banks with
information on these and other transactions.

7
 • To date, TJX has been able to specifically identify a limited number of
credit card and debit card holders whose information was removed from
its system and is providing this information to the credit card companies.
In addition, TJX has been able to specifically identify a relatively small
number of customer names with related drivers’ license numbers that were
also removed from its system, and TJX is contacting these individuals
directly.

• TJX is continuing its investigation seeking to determine whether

additional customer information may have been compromised. TJX does
not know if it will be able to identify additional information of specific
customers that may have been taken.

28. TJX’s press release also stated that TJX discovered the intrusion in “mid-

December, 2006.” Nevertheless, TJX delayed announcing the intrusion until approximately one

month later, when it issued its January 17, 2007 press release. Notably, TJX delayed announcing

the breach until after the busy holiday shopping season, the period in which the greatest amount

of shopping occurs and the greatest amount of revenue is earned by TJX, relative to its other

financial quarters.

29. TJX’s press release further stated that after the security breach occurred, the

Company “significantly strengthened the security of its computer systems.” TJX did not specify

the nature of the improvements or the areas that required strengthening.

30. On its website, in a section titled “Frequently Asked Questions” concerning the

security breach, TJX stated that the drivers’ license numbers that were stolen were received in

transactions in which merchandise was returned without a receipt. The Company noted the

possibility that some customers’ drivers’ license numbers may be the same as their social security

numbers.

31. On January 19, 2007, The Wall Street Journal reported that the security breach

8
“exposed millions of consumers to potential fraud.” It stated that the number of exposed cards

could exceed 40 million, citing representatives from Visa. The article also stated that “‘patterns

of counterfeit fraud have been reported on some of the affected accounts,’” quoting a letter from

Visa.

32. The January 19, 2007 Wall Street Journal article also stated that U.S. retailers

including TJX are required to follow “stringent card-industry rules,” described as follows:

The rules that cover transactions on cards branded with logos from Visa,
MasterCard International Inc., American Express Co. and Discover
Financial Services, require merchants to validate a series of security
measures, such as the establishment of firewalls to protect databases.
Among other things, merchants are prohibited from storing unprotected
cardholder information.

....

People familiar with the situation have said that TJX doesn’t comply with
those requirements.

33. The applicable “card-industry rules” that were violated include, among other

things, Payment Card Industry (PCI) Data Security Standards, and similar regulations issued by

Visa and Mastercard.

34. As further reported in The Wall Street Journal on May 4, 2007, during a routine

audit of TJX which took place in or around September 2006, an auditor informed TJX that it was

not complying with many of the requirements imposed by Visa and MasterCard. In addition, as

reported, experts confirmed that TJX’s practices violated credit card industry guidelines.

35. According to an article in The Boston Globe dated March 13, 2007, “MasterCard

International Inc. has acknowledged that TJX failed to meet a data-security standard set by card

companies at the time of its breach.”

9
 36. Defendants violated PCI standards including but not limited to the following:

a. “Requirement 1: Install and maintain a firewall configuration to protect

cardholder data.” Defendants violated this requirement as evidenced by the January 19, 2007

Wall Street Journal article noting TJX’s noncompliance with firewall requirements. Another

article in the Wall Street Journal dated May 4, 2007, discussed below, noted that TJX “failed to

install firewalls . . . on many of its computers.”

b. “Requirement 3: Protect stored cardholder data.” Defendants violated this

requirement as evidenced by, inter alia, the fact that an unauthorized intruder was able to

repeatedly access cardholder data from TJX’s computer systems over a fourteen month period.

c. “Requirement 4: Encrypt transmission of cardholder data across open,

public networks.” Defendants violated this requirement because, as discussed below, TJX

disclosed that it did not encrypt payment card and check transaction information prior to April 7,

2004 and possibly even after April 7, 2004. Moreover, as discussed below, The Wall Street

Journal reported on May 4, 2007 that TJX “failed to install . . . data encryption on many of its

computers.” The same article reported that TJX transmitted unencrypted credit and debit card

information to banks during the approval process for card transactions, and this lack of

encryption violated credit card industry guidelines according to experts.

37. Visa issues “Visa U.S.A. Operating Regulations” (“Visa Operating Regulations”).

MasterCard issues regulations that are contained in “MasterCard International Bylaws and

Rules,” “MasterCard International Security Rules and Procedures,” “MasterCard International

Authorization System Manual,” “MasterCard International Payment Card Industry Data Security

Standard,” and “MasterCard International Operating Regulations” (collectively “MasterCard

10
Operating Regulations”). The Visa Operating Regulations and MasterCard Operating

Regulations are hereinafter collectively referred to as “Card Operating Regulations.”

38. The Card Operating Regulations governed the conduct of Defendants at all times

herein. Fifth Third has a contract with Visa and a contract with MasterCard that requires Fifth

Third to comply with the Card Operating Regulations. TJX has a contract with Fifth Third that

requires TJX to comply with the Card Operating Regulations.

39. Defendants are required to comply with the Card Operating Regulations,

including portions that mandate safeguarding of cardholder information and prohibit storage of

cardholder information longer than necessary.

40. Defendants violated Card Operating Regulations, including but not limited to the

following:

a. The “Visa USA Cardholder Information Security Program (CISP),” which

is similar to the PCI standards program discussed above.

b. The MasterCard International Bylaws and Rules, section 9.15.3 titled

“Account, Cardholder and Transaction Data Must Be Kept Secure,” which states:

Merchants . . . must keep all systems and media containing MasterCard

account, cardholder, or transaction information (whether physical or
electronic) in a secure manner so as to prevent access by, or disclosure to
any unauthorized party. Merchants . . . must destroy all media not
necessary to retain, in a manner that will render the data unreadable.

Defendants violated this requirement because they failed to maintain customer information in a

“secure manner so as to prevent access by . . . any authorized party.” Defendants also failed to

“destroy all media not necessary to retain.”

c. The MasterCard International Bylaws and Rules, section 9.15.7 titled

11
“Storage of Account, Cardholder, and Transaction Data,” which states:

MasterCard permits storage of only the card account number, expiration

date, cardholder name, and service code, in a secure environment to which
access is limited, and then only to the extent that this data is required for
bona fide purposes and only for the length of time that the data is required
for such purposes.

Defendants violated this requirement because they failed to store cardholder information in a

secure environment to which access was limited. Defendants also stored cardholder information

for longer than necessary to complete the bona fide purpose for which the information was

obtained. For example, as discussed below, TJX stored cardholder information for up to two

years, significantly longer than necessary.

41. At all times relevant hereto, TJX knew or should have known that the Card

Operating Regulations required it to secure and keep confidential Visa and MasterCard

cardholder information and magnetic stripe information from unauthorized disclosure, as set out

in the Card Operating Regulations.

42. At all times relevant hereto, TJX knew or should have known that the Card

Operating Regulations forbade it from retaining or storing cardholder information longer than

necessary.

43. Fifth Third’s contracts with TJX and Visa and MasterCard, and Defendants’

involvement in this complex web of interrelated financial institutions, required that Defendants:

(a) comply with the Card Operating Regulations; (b) properly secure Visa and MasterCard

cardholder information; (c) not retain or store such information subsequent to processing of a

transaction; and (d) not disclose such information to unauthorized third parties. Defendants

wrongfully failed to comply with these requirements.

44. On February 21, 2007, TJX issued a press release providing additional details
12
about TJX’s security breach and internal investigation. The press release disclosed that the time

period in which the affected customer transactions occurred had expanded from previous

estimates, and the time period during which the hackers accessed TJX’s computer systems had

expanded from previous estimates. The press release also stated that TJX found additional

drivers’ license numbers together with related names and addresses that it believed were

compromised.

45. On March 28, 2007, TJX filed with the SEC its Form 10-K for fiscal year 2006.

TJX stated, in relevant part:

a. The compromised customer transactions were those that took place at

various points “from December 31, 2002 through mid-May 2006” and “during portions of

mid-May [2006] through December 18, 2006,” a combined period of four years;

b. The hackers gained access “in July 2005, on subsequent dates in 2005 and

from mid-May 2006 to mid-January 2007,” meaning that the actual intrusions occurred

during at least a fourteen month period;

c. The information was stolen “from a portion of our computer systems in

Framingham, MA that processes and stores information related to payment card, check

and unreceipted merchandise return transactions for customers of our T.J. Maxx,

Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico and our

Winners and HomeSense stores in Canada (“Framingham system”).”;

d. TJX identified a limited number of the credit and debit cards for which

information was believed stolen. The identified cards totaled 45,732,000, comprised of

30,708,000 cards that had expired numbers at the time of the theft and 15,024,000 cards

that had unexpired numbers at the time of the theft. (As reported by The Washington

13
Post on March 30, 2007, “[e]xpired cards can still be at risk because they are often

renewed with the same numbers.”);

e. “Until discovery of the Computer Intrusion, we stored certain customer

personal information on our Framingham system that we received in connection with

returns of merchandise without receipts and in some check transactions in our U.S.,

Puerto Rican and Canadian stores (other than Bob’s Stores). In some cases, this personal

information included drivers’ license, military and state identification numbers (referred

to as “personal ID numbers”), together with related names and addresses, and in some of

those cases, we believe those personal ID numbers were the same as the customers’ social

security numbers.”;

f. TJX identified 454,600 customers whose Personal ID numbers and related

names and addresses (and in some cases social security numbers) were stolen. This

included 451,000 customers who returned goods “primarily during the last four months of

2003” at T.J. Maxx, Marshalls, and HomeGoods (but not A.J. Wright), and 3,600

customers who returned goods during an unspecified period at unspecified stores.;

g. “We suspect the data believed stolen in 2005 related to somewhere

between approximately half to substantially all of the transactions at U.S., Puerto Rican

and Canadian stores during the period from December 31, 2002 through June 28, 2004.”;

h. “The . . . files stolen in 2006 could have included . . . data relative to some

customer transactions from December 31, 2002 through mid-May 2006 . . . .”;

i. The hackers may have accessed unencrypted information transmitted

during the card issuer’s approval process when approving credit and debit card

transactions: “the technology utilized in the Computer Intrusion during 2006 could have

14
 enabled the Intruder to steal payment card data from our Framingham system during the

payment card issuer’s approval process, in which data (including the track 2 data) is

transmitted to payment card issuers without encryption.” As discussed below, The Wall

Street Journal reported on May 4, 2007 that the lack of encryption during this process

violated credit card industry guidelines.;

j. TJX did not encrypt payment card and check transaction information prior

to April 7, 2004 and possibly even after April 7, 2004: “For transactions after April 7,

2004 our Framingham system also generally [but not always] began encrypting (meaning

substituted characters for the actual characters using an encryption algorithm provided by

our software vendor) all payment card and check transaction information.”;

k. Even data encrypted by TJX may be at risk: “Further, we believe that the

Intruder had access to the decryption tool for the encryption software utilized by TJX.”;

and

l. In at least one instance, TJX stored cardholder information for

approximately two years from 2004 to 2006, significantly longer than necessary to

complete the business purpose for which the information was obtained: “[W]e identified

a limited number of payment cards as to which transaction information was included in

the customer data that we believe were stolen in 2006. This information was contained in

two files apparently created in connection with computer systems problems in 2004 and

2006.”

46. On March 29, 2007, The Boston Globe reported that six people were arrested for

using credit card numbers stolen from TJX to buy more than $8 million worth of goods:

Six people arrested and charged with participating in a crime ring that used

15
 credit card numbers stolen from TJX Cos. of Framingham to buy more than $8
million worth of electronics at Wal-Mart and Sam’s Club stores across Florida
face arraignment this morning in Jacksonville. . . .

....

The chronology of events, spelled out by law enforcement officials and in

an affidavit filed in connection with the case, demonstrates one way that thieves
can profit from lists of stolen credit card numbers by turning them into gift cards
with which to buy expensive goods -- in effect laundering the stolen numbers to
make them harder to trace.

....

Specifically, police allege that the individuals, six of whom have been
arrested, made or obtained fake credit cards with real account information on TJX
customers taken from its computers. They allegedly used the credit cards to buy
gift cards from Wal-Mart and Sam’s Club and then allegedly used the cards at
stores throughout Florida to buy more than $8 million worth of electronic goods
such as computers and big-screen televisions, returning the goods in some cases
for cash.

47. On May 4, 2007, The Wall Street Journal reported that the hackers gained access

through TJX’s outdated wireless network. The article pointed out numerous deficiencies in

TJX’s computer systems:

There, investigators now believe, hackers pointed a telescope-shaped

antenna toward the store and used a laptop computer to decode data streaming
through the air between hand-held price-checking devices, cash registers and the
store’s computers. That helped them hack into the central database of Marshalls’
parent, TJX Cos. in Framingham, Mass., to repeatedly purloin information about
customers.

The $17.4-billion retailer’s wireless network had less security than

many people have on their home networks, and for 18 months the company --
which also owns T.J. Maxx, Home Goods and A.J. Wright -- had no idea what
was going on. . . .

. . . . The TJX hackers also got personal information such as driver's license
numbers, military identification and Social Security numbers of 451,000
customers -- data that could be used for identity theft. . . . TJX deleted its own
copies of the records stolen by the hackers and can't crack the encryption on files

16
that the hackers left in its system.

....

The ease and scale of the fraud expose how poorly some companies are
protecting their customers’ data on wireless networks, which transmit data by
radio waves that are readily intercepted.

....

When wireless data networks exploded in popularity starting around 2000,

the data was largely shielded by a flawed encoding system called Wired
Equivalent Privacy, or WEP, that was quickly pierced. The danger became
evident as soon as 2001, when security experts issued warnings that they
were able to crack the encryption systems of several major retailers.

By 2003, the wireless industry was offering a more secure system

called Wi-Fi Protected Access or WPA, with more complex encryption.
Many merchants beefed up their security, but others including TJX were
slower to make the change. An auditor later found the company also failed
to install firewalls and data encryption on many of its computers using the
wireless network, and didn't properly install another layer of security
software it had bought. . . .

....

. . . . [The hackers] first tapped into data transmitted by hand-held equipment that
stores use to communicate price markdowns and to manage inventory. “It was as
easy as breaking into a house through a side window that was wide open,”
according to one person familiar with TJX’s internal probe. The devices
communicate with computers in store cash registers as well as routers that
transmit certain housekeeping data.

After they used that data to crack the encryption code the hackers digitally
eavesdropped on employees logging into TJX’s central database in Framingham
and stole one or more user names and passwords, investigators believe. With that
information, they set up their own accounts in the TJX system and collected
transaction data including credit-card numbers into about 100 large files for their
own access. They were able to go into the TJX system remotely from any
computer on the Internet, probers say.

They were so confident of being undetected that they left encrypted

messages to each other on the company's network, to tell one another which files
had already been copied and avoid duplicating work. The company says the
hackers may even have lifted bank-card information as customers making
17
 purchases waited for their transactions to be approved. TJX transmitted
that data to banks “without encryption,” it acknowledged in an SEC filing.
That violates credit-card company guidelines, experts say.

While the hackers were stealing the data, they were selling it on the
Internet on password-protected sites used by gangs who then run up charges using
fake cards printed with the numbers, investigators say.

....

As the stolen TJX numbers were being used in Florida, the company was
getting a stern warning about its poor security from a routine audit. The auditor
told the company last Sept. 29 [2006] that it wasn’t complying with many of
the requirements imposed by Visa and MasterCard, according to a person
familiar with the report. The auditor’s report cited the outmoded WEP
encryption and missing software patches and firewalls.

Then on Dec. 18, another auditor found anomalies in the company’s card
data. At that point, TJX hired forensics experts from International Business
Machines Corp. and General Dynamics Corp. and notified the U.S. Secret
Service, which spent a month trying to catch the hackers in the act. . . .

On Jan. 17, the company announced its systems had been hacked, affecting
“a limited number of credit and debit card holders.” . . .

(Emphasis added.)

48. Notably, Defendants were on notice as early as 2001 that TJX’s wireless system

and encryption technology were flawed and could easily be pierced. Defendants knew a more

secure system was available in 2003, yet Defendants failed to implement a strengthened system.

Defendants were also on notice that many of TJX’s computers lacked firewalls and data

encryption technology, as alerted by an auditor. Despite this knowledge, Defendants failed to

correct the deficiencies.

49. TJX failed to detect the data intrusion in a timely manner. The intrusion first

occurred at least as early as July 2005, continued throughout 2005, and occurred again from mid-

May 2006 forward. However, TJX did not detect the intrusion until mid-December 2006, a delay

18
of eighteen months after the initial intrusion. Had TJX employed effective system monitoring

controls, it would have detected the security breach in a more timely manner.

50. Defendants’ failure to comply with industry standards and regulations, the

magnitude of the data breach (the largest in history), the lengthy period during which the

intrusions occurred (beginning at least as early as July 2005 and occurring over at least a fourteen

month period), the lengthy period in which the compromised transactions took place (four years

from December 31, 2002 forward), and the significant delay between the date of the first

intrusion in July 2005 and the date TJX finally discovered the intrusion in December 2006

(eighteen months), all serve as concrete evidence of Defendants’ negligence and other wrongful

conduct in failing adequately to safeguard and monitor TJX’s computer systems to ensure the

security of its customers’ personal and financial data.

51. Numerous government agencies are investigating TJX’s potential culpability in

the data theft. TJX disclosed the following in its fiscal 2006 Form 10-K:

A number of government agencies are conducting investigations as to

whether TJX as a result of the Computer Intrusion may have violated laws
regarding consumer protection and related matters. TJX has been advised that
the Attorney General of the Commonwealth of Massachusetts is leading an
investigation into the Computer Intrusion on behalf of a multi-state group of
state Attorneys General (the “Multi-State Group”), which as initially comprised
had approximately 30 participating states. . . .

....

TJX also has been advised that the Federal Trade Commission (“FTC”)
is investigating the Computer Intrusion to determine whether the Company may
have violated federal law regarding consumer protection and related matters.

52. The security breach is also being investigated by the U.S. Department of Justice,

the U.S. Secret Service, and the U.S. Attorney’s Office in Boston, among other law enforcement

agencies in Canada and abroad.

19
II. Fifth Third’s Role and Culpability

53. Fifth Third Bancorp is the sponsoring bank that handled TJX’s credit and debit

card transactions during the relevant time period. In that role, Fifth Third carried out transactions

that began at the checkout counter, passed through card association networks - such as those of

Visa or Mastercard - went to the cardholder’s issuing bank for approval, and ended with the

printout of a purchase receipt for the customer to sign.

54. As discussed above, Fifth Third has a contract with Visa and a contract with

MasterCard that requires Fifth Third to comply with the Card Operating Regulations. Also, Fifth

Third has a contract with TJX that requires TJX to comply with the Card Operating Regulations.

55. According to a New York Times article dated January 19, 2007, Fifth Third, as

the sponsoring bank that handles TJX’s accounts, is “responsible for ensuring that the retailer

met the industry’s data security standards.”

56. Referencing Fifth Third, The Wall Street Journal reported on January 19, 2007

that “TJX Cos. might not be the only company on the hook for a security breach that has exposed

millions of consumers to potential fraud.” The article pointed out that because of Fifth Third’s

involvement with credit card processing at TJX, “[b]ased on card-industry rules, that means Fifth

Third likely will be first in line if Visa USA Inc. and MasterCard Inc. levy fines for the breach.”

57. Fifth Third had a duty to ensure that TJX met applicable industry data security

standards, including but not limited to the PCI standards and Card Operating Regulations

discussed above. Fifth Third failed to ensure TJX’s compliance, and Fifth Third breached its

duty.

III. The Named Plaintiffs’ Experiences Illustrate the Types of Damages

the Class Experienced as a Result of Defendants’ Conduct

20
 58. Plaintiff Anne Cohen frequently shops at Marshalls. She used her debit card at

Marshalls in November and December 2006, among other months. She also used her debit card

at HomeGoods in November 2006. On or around January 21, 2007, she tried to use her debit

card at an ATM machine. The machine retained her card because the card had been deactivated.

She did not previously know the card was deactivated. She called her bank, Rondout Savings

Bank, which told her the card was on TJX’s list of cards that were compromised during the

security breach. Her bank cancelled the card as a result. She received a replacement card with a

new number approximately two weeks later. She also received a letter from her bank dated

February 6, 2007 implicating TJX for the breach of her card and stating: “Published reports

indicate information that may have been compromised include your name, debit card number,

and magnetic stripe information associated with your debit card.”

59. Plaintiff Cohen had several automatic bill-pay transactions linked to her debit

card, including but not limited to her monthly telephone service and health club membership.

Due to the deactivation of her card, of which she was unaware, several vendors were unable to

process their billing transactions. One vendor charged her a $20 penalty because the vendor was

unable to extract the required payment. After she learned of the deactivation, Plaintiff Cohen

spent considerable time instructing vendors not to use her deactivated debit card number any

longer, paying vendors via an alternate method while awaiting receipt of her new card, and re-

establishing electronic links to her new debit card after the new card was received.

60. Due to the unavailability of a debit card for two weeks, Plaintiff Cohen was

inconvenienced in several ways. She was forced to travel to her bank’s branch office on

numerous occasions to withdraw cash. She was also forced to leave work during the workday to

arrive at the bank during banking hours. Further, she was forced to carry large sums of cash on
21
hand on numerous occasions (an unusual and uncomfortable feeling), particularly during an out-

of-town business trip.

61. Plaintiff Cohen also tried to return certain holiday gifts at two retail stores, but the

stores would not refund her money because the debit card she used to purchase the items was no

longer active. The retailers instead issued her a store credit. This was an inconvenience and

caused financial harm to Plaintiff Cohen because she wanted to use some or all of the refunded

funds at other stores.

62. Plaintiff Cohen has also returned merchandise at Marshalls without a receipt.

Thus, she may be among the people whose drivers’ license information, name, and address were

compromised during TJX’s security breach.

63. Plaintiff ACohen Marketing & Public Relations, LLC uses a debit card that is

separate and distinct from Plaintiff Anne Cohen’s personal debit card. Plaintiff Anne Cohen

used ACohen’s debit card to make purchases at Marshalls in at least November and December

2006. On or around January 24, 2007, Anne Cohen tried using ACohen’s debit card for a

transaction, but the card did not work. Anne Cohen called ACohen’s bank, Rondout Savings

Bank, which told her the card was on TJX’s list of cards that were compromised during the

security breach. The bank cancelled the card as a result. ACohen received a replacement card

with a new number approximately two weeks later. Anne Cohen also received a letter from the

bank dated February 6, 2007 implicating TJX for the breach of ACohen’s card and stating:

“Published reports indicate information that may have been compromised include your name,

debit card number, and magnetic stripe information associated with your debit card.”

64. Plaintiff ACohen had several automatic bill-pay transactions linked to its debit

card. After the card was deactivated, ACohen spent considerable time instructing vendors not to
22
use the deactivated card number, paying vendors via an alternate method while awaiting receipt

of the replacement card, and re-establishing electronic links to the new debit card after the new

card was received.

65. The deactivation of ACohen’s debit card also interrupted ACohen’s business

while ACohen awaited receipt of a replacement card. ACohen was unable to order certain

services on behalf of its clients, and ACohen was unable to order certain goods for the business.

66. Plaintiff Julie Buckley has been a regular customer of TJX’s stores for many

years, and has used both her debit card and her drivers’ license when transacting business with

TJX.

67. On January 18, 2007, she was informed that her debit card information had been

stolen from TJX and that her credit union had preemptively cancelled her card, leaving her

temporarily without a debit card.

68. Plaintiff Buckley contacted TJX over the telephone. TJX’s employees refused to

provide additional information, to take responsibility for the situation, or to provide any

assistance other than to suggest that Plaintiff Buckley monitor her accounts herself for identity

theft. TJX’s employees refused Plaintiff Buckley’s request that TJX provide her with an identity

theft monitoring service. Plaintiff Buckley has been unable to determine whether her drivers’

license information was stolen from TJX’s computer systems.

69. Plaintiff LaQuita Kearney returned merchandise at TJX stores without a receipt,

including but not limited to HomeGoods, T.J. Maxx, and Marshalls. She received a letter from

TJX dated March 31, 2007 stating:

We reported in January 2007 that there had been an unauthorized intrusion into
our computer systems. As more recently reported, our investigation subsequently
found additional information that we believe was compromised in the intrusion.
23
 We are writing to notify you that your name, address and driver’s license number
were among the information we believe was compromised.

70. As a precautionary measure, Plaintiff Kearney requested her free annual credit

report. However, prior to becoming aware of the identity theft, Plaintiff Kearney had already

requested and received her free credit report for this year and was therefore forced to pay $14 for

a second credit report to monitor her account statements. After reviewing her credit report,

Plaintiff Kearney noticed inquiries for cell phone service and an American Express card that she

did not make.

71. As a further precautionary measure, Plaintiff Kearney also contacted her local

Department of Motor Vehicles (“DMV”) to obtain a new driver’s license number. Even though

Plaintiff Kearney showed the DMV the March 31, 2007 letter from TJX, the DMV indicated that

they could not help her because the situation was not something that required her information to

be changed. Thus, due to TJX’s security breach, Plaintiff Kearney has been exposed to a

substantial and continuing risk of identity theft since she still has the same driver’s license

information as prior to the security breach.

72. In addition, Plaintiff Kearney separately received a letter from her bank stating

that her debit card may have been compromised in a recent nationwide breach of card

information involving TJX Companies, Inc. While no fraudulent charges had been made, the

bank issued her a new card and cancelled her old card.

73. The TJX security breach has been a significant inconvenience to Plaintiff Kearney

and has caused considerable stress and anxiety.

74. Plaintiff Laura Lerner returned merchandise at TJX stores without a receipt,

including but not limited to HomeGoods, T.J. Maxx, and Marshalls. She received a letter from

24
TJX dated January 24, 2007 stating:

. . . I regret to report to you that there has been an unauthorized intrusion into
our computer systems that process and store information related to customer
transactions for our T.J. Maxx, Marshalls, Homegoods and A.J. Wright stores
in the U.S. We have specifically identified a relatively small number of
customer names and addresses with related driver’s license numbers that were
stolen from our computer systems, and we are writing to notify you that your
information was among the data stolen.

75. Plaintiff Lerner received a similar letter from TJX dated March 31, 2007. It is

unclear whether the latter letter references the same data theft as the prior letter or a second data

theft from a separate transaction.

76. Plaintiff Lerner’s driver’s license number was the same as her social security

number. Thus, due to TJX’s security breach, she has been exposed to a substantial and

continuing risk of identity theft. As a precautionary measure, Plaintiff Lerner has placed a 90-

day fraud alert on her credit report. She also obtained a new driver’s license with a license

number that is different from her social security number. She paid a $20 fee to obtain the new

license. In addition, the TJX security breach has been a significant inconvenience to Plaintiff

Lerner and has caused considerable stress and anxiety.

77. Plaintiff Robert Mann shopped at T.J. Maxx and HomeGoods frequently,

including but not limited to in December 2006. He generally used his debit card for purchases at

these stores. In late January 2007, he tried to use his debit card for a transaction, but the

transaction failed. He checked his account on-line and saw that approximately 110 fraudulent

transactions had occurred, or were attempted, on his card during a four-day period from January

24, 2007 to January 27, 2007. Several of the charges were similar in description to fraudulent

charges reported in the media and on the internet by other victims of the TJX security breach,

including but not limited to charges at WalMart and charges in foreign countries. There were
25
thousands of dollars of fraudulent transactions on Plaintiff Mann’s account. His bank

deactivated the card as a result of the fraudulent activity.

78. Plaintiff Mann took two days off from work, without pay, to investigate and

address the fraudulent charges on his account. As a result of his efforts, his bank ultimately

agreed to reverse the charges. Plaintiff Mann lost the use of his debit card for approximately one

week between the date his old card was cancelled and the date his new card was activated. This

was a significant inconvenience because he was forced to travel to a bank branch to withdraw

and carry large sums of cash. Further, as a precaution, Plaintiff Mann cancelled several of his

other credit cards and ordered replacement cards with new card numbers. This was inconvenient

and time consuming.

79. Plaintiff Jitka Parmet shops frequently at Marshalls, T.J. Maxx and Homegoods,

and specifically made purchases with her MasterCard there in May and June of 2006.

80. In January 2007, Plaintiff Parmet was attempting to make a retail purchase when

her MasterCard was rejected. Although she was able to make the purchase with a different card,

the incident caused her great embarrassment.

81. Plaintiff Parmet was informed by her credit card company that several hundred

dollars of online purchases had been made on her card, and, because she does not typically shop

online, the card company had flagged her account. The company ultimately cancelled her

account and issued her a new card. Plaintiff Parmet spent considerable time to challenge these

online purchases, which she did not make. As a result of her efforts, the charges were reversed.

The charges occurred on December 18, 2006. TJX publicly disclosed that it discovered the

intrusion into its computer systems in “mid-December, 2006.” It is possible that if TJX had

announced the theft immediately, Plaintiff Parmet might have been able to cancel her card before
26
these charges were incurred.

82. Because Plaintiff Parmet has used her MasterCard at TJX’s stores, and has no

knowledge of any other likely way that her card information was otherwise compromised, she

believes that her card information was stolen from TJX.

83. Plaintiff Parmet separately received a letter from her credit union stating that her

Visa debit card “may have been compromised in a recent nationwide breach of card information

involving TJX Companies, Inc.” While no fraudulent charges had been made, the credit union

issued her a new card and cancelled her old card, which was an inconvenience to Plaintiff

Parmet.

84. Plaintiff Kimberly Myck-Rawson shopped at a T.J. Maxx store in Bend, Oregon

on several occasions in the latter part of 2006. She has used her Visa debit card and her Visa

credit card when shopping at this store.

85. Plaintiff Myck-Rawson’s husband was contacted by the couple’s credit union on

January 19, 2007 and informed that a thief had attempted to use her debit card and that the credit

union had cancelled her card immediately.

86. Plaintiff Myck-Rawson contacted her credit union and was told that a local

merchant’s computer system had been compromised and her financial information had been

stolen. However, the credit union stated that, at the request of Visa, it would not reveal the name

of the merchant. After several emotionally stressful days of attempting to learn more information

from Visa and from her credit union, Plaintiff Myck-Rawson was finally informed by her credit

union that the local merchant was T.J. Maxx.

87. Plaintiff Myck-Rawson was unable to conduct certain financial transactions or to

obtain cash from ATM machines until she received a new debit card.
27
 88. Because Plaintiff Myck-Rawson also used her Visa credit card at TJX’s stores,

she has cancelled that card and has received a replacement. This process has caused her further

inconvenience.

89. Plaintiff Deborah Wilson has been shopping at TJX stores for over twenty-one

years and has returned merchandise at T.J. Maxx without a receipt. She received a letter from

TJX dated March 31, 2007 stating:

We reported in January 2007 that there had been an unauthorized intrusion into
our computer systems. As more recently reported, our investigation subsequently
found additional information that we believe was compromised in the intrusion.
We are writing to notify you that your name, address and driver’s license number
were among the information we believe was compromised.

90. As a precautionary measure, Plaintiff Wilson contacted her local DMV for

information about what procedures to follow in order to protect against possible identity fraud.

The DMV, however, provided no assistance to Plaintiff Wilson and in fact, informed Plaintiff

Wilson that her driver’s license information could not be changed. Thus, as a result of TJX’s

security breach, Plaintiff Wilson has been exposed to a substantial and continuing risk of identity

theft since she still has the same driver’s license information as prior to the security breach.

Additionally, the TJX security breach has been a significant inconvenience to Plaintiff Wilson

and has caused considerable stress and anxiety.

91. Plaintiff Kathleen Robinson used her Mastercard to purchase items from T.J.

Maxx on several occasions during 2006, including but not limited to the following dates: August

8, 2003; August 16, 2003; January 24, 2004; April 10, 2004; May 29, 2004; August 15, 2004;

February 11, 2006; May 5, 2006; June 4, 2006; and August 16, 2006. Additionally, Plaintiff

Robinson returned products purchased with her Mastercard to T.J. Maxx on January 20, 2003

and August 11, 2004.

28
 92. As a result of Plaintiff Robinson shopping at T.J. Maxx on several occasions from

2003 to August 2006, TJX stored within its computer system and was in possession of Plaintiff

Robinson’s private, non-public personal and financial information from July 2005 to January

2007.

93. Plaintiff Robinson’s private, non-public personal and financial information has

been compromised as a result of TJX’s actions and/or non-actions.

94. Plaintiff Shannon Kidd shopped at TJX stores using a credit card, and her

personal information was compromised as a result of the breach.

95. Plaintiff Mary Robb Farley is a Marshalls customer. She made credit card

transactions at Marshalls during the period that TJX announced its computer system had been

compromised.

96. As a result of Defendants’ conduct, Plaintiffs and Class members have had their

financial and personal information stolen or compromised, have had their privacy rights violated,

have been exposed to the risk of fraud and identity theft, and have suffered other damages.

97. Plaintiffs and Class members have spent, and will continue to spend, considerable

time to monitor their accounts and/or credit histories for fraudulent activity in seeking to prevent

or undo any harm.

98. Plaintiffs and Class members have also incurred out-of-pocket losses for items

including but not limited to fraudulent charges on their accounts (to the extent not reversed by

their banks), credit monitoring and credit card monitoring services, identity theft insurance, costs

to obtain credit reports, late fees and penalties charged by vendors that were expecting timely

payment through debit and credit cards but didn’t receive payment when cardholders’ cards were

cancelled, unpaid time off from work, notary fees incurred in submitting affidavits to dispute
29
fraudulent charges, and wire fees for funds wired to Class members who were out of town when

their bank cancelled their cards.

99. Further, a significant number of Class members have paid fees to change their

drivers’ license number. The Massachusetts Registry of Motor Vehicles website, in a section

expressly addressed to TJX customers whose drivers’ license information was compromised,

encourages affected customers to change their drivers’ license number. A $20 fee is assessed for

obtaining a new license.

100. Class members have also been burdened by the need to place a fraud alert on their

credit file and/or drivers’ license number. TJX, through its website and letters to certain affected

consumers, encouraged customers to place a fraud alert on their credit file and/or drivers’ license

number. Placing a fraud alert requires customers to spend considerable time formally requesting

the fraud alert. Further, with respect to drivers’ license numbers, once a fraud alert is in place,

the fraud alert requires the licensee to undergo burdensome and time-consuming steps to perform

future license-related transactions. For example, the Massachusetts Registry of Motor Vehicles

website, in a section expressly addressed to TJX customers, states:

[Y]ou can request an Activity Hold on your drivers’ license or ID. It is

important to understand that an Activity Hold will prevent all future
license/identification transactions in Massachusetts. This means you will have to
appear in person at an RMV branch for all license renewals and payments.
Also, while your license/ID is on Activity Hold, you will not receive license
renewal reminders or notices from the RMV in the mail.

To request an Activity Hold, you must complete a Request to Add or

Remove an Activity Hold form and then bring it to an RMV branch for
processing. . . . You must do this in person so we can verify your identity. . . .
In the future, each time you need to complete a license transaction, you will need
to visit an RMV branch so they can re-verify your identity and temporarily
remove the Activity Hold. For example, this procedure will have to be followed
to renew your license or request a duplicate license or ID card. (Emphasis added.)

30
 The need to appear in person to perform routine license-related transactions that could

otherwise be completed by mail or on-line is an undue burden to Class members.

101. In sum, as a result of Defendants’ conduct, Class members suffered damages

including, but not limited to, the following:

a. out-of-pocket loss for, inter alia, fraudulent charges on their accounts (to

the extent not reversed by banks), the cost of credit monitoring and/or credit card

monitoring services, the cost of identity theft insurance, costs to obtain credit reports, fees

charged by vendors that were expecting timely payment through debit and credit cards but

didn’t receive payment, unpaid time off from work, notary fees, wire fees, and fees to

change drivers’ license numbers;

b. loss of control of their credit and debit card, Personal ID, and check

information;

c. fear and apprehension of fraud, loss of money, and identity theft;

d. the burden of closely scrutinizing account statements and credit reports for

unauthorized activity;

e. the burden of closing compromised accounts, opening new accounts, and

re-establishing electronic payment links from old accounts to new accounts;

f. the burden and consequences of placing a fraud alert on their credit file

and/or drivers’ license number;

g. the burden and cost of formally disputing fraudulent activity;

h. the burden of completing police reports to report fraudulent transactions

and/or identity theft;

i. damage to their credit history;

31
 j. loss of privacy; and

k. other economic and non-economic damages.

102. The Class is also entitled to injunctive relief including but not limited to: (i) the

provision of credit monitoring and/or credit card monitoring services (to the extent not already

paid for by Class members); (ii) the provision of identity theft insurance (to the extent not already

paid for by Class members); and (iii) the requirement that TJX enhance the security of its

computer system to minimize the likelihood of intrusions in the future. Injunctive relief is

required because money damages alone are insufficient to redress the irreparable harm that Class

members face absent provision of these injunctive measures.

CLASS ACTION ALLEGATIONS

103. Plaintiffs bring this class action, pursuant to Federal Rule of Civil Procedure 23(a)

and (b)(3), on behalf of themselves and all others similarly situated (the “Class”), defined as

follows:

All persons or entities in the United States (including the District of Columbia),
Puerto Rico or Canada who shopped at TJX stores in the United States, Puerto
Rico or Canada, made a purchase or return, have had or allege having had
personal or financial data stolen or placed at risk of being stolen from TJX’s
computer systems, and who were or may be damaged thereby or who allege
damage therefrom.

Excluded from the Class are TJX, Fifth Third, and their respective officers and directors.

104. The Class consists of millions of customers of TJX’s retail stores located

throughout Massachusetts and the United States, as well as Puerto Rico and Canada. Based on

TJX’s admission that millions of customer accounts have been compromised, the Class is so

numerous that joinder of all Class members is impracticable.

105. Defendants’ conduct, in failing to properly safeguard customers’ personal and

32
financial data and in failing to notify customers of the security breach as soon as practical after

the breach was discovered, is uniform among the Class.

106. Questions of law and fact common to all Class members predominate over any

questions affecting only individual members. Such questions of law and fact common to the

Class include:

a. whether Defendants acted negligently in failing to properly safeguard

Class members’ financial and personal data;

b. whether Defendants violated industry standards concerning the handling

and storage of Class members’ financial and personal data;

c. whether Defendants failed to notify Class members of the security breach

as soon as practical after the breach was discovered;

d. whether Defendants breached express or implied contracts by failing to

properly safeguard Class members’ financial and personal data;

e. whether Defendants engaged in unfair practices by failing to properly

safeguard customers’ financial and personal data;

f. whether Defendants’ violations of Mass. Gen. Laws Chap. 93A §§ 9, 11

were willful or knowing violations; and

g. whether Plaintiffs and the Class have been damaged, and, if so, what types

of damages flowed from Defendants’ unlawful conduct.

107. Plaintiffs’ claims, as described herein, are typical of the claims of all Class

members, as the claims of Plaintiffs and all Class members arise from the same set of facts

regarding Defendants’ failure to protect Class members’ personal and financial data. Plaintiffs

maintain no interests that are antagonistic to the interests of other Class members.
33
 108. Plaintiffs are committed to the vigorous prosecution of this action and have

retained competent counsel experienced in the prosecution of class actions of this type.

Accordingly, Plaintiffs are adequate representatives of the Class and will fairly and adequately

protect the interests of the Class.

109. This class action is a fair and efficient method of adjudicating the claims of

Plaintiffs and the Class for the following reasons:

a. common questions of law and fact predominate over any question

affecting any individual Class member;

b. the prosecution of separate actions by individual members of the Class

would likely create a risk of inconsistent or varying adjudications with respect to individual

members of the Class thereby establishing incompatible standards of conduct for Defendants or

would allow some Class members’ claims to adversely affect other Class members’ ability to

protect their interests;

c. this forum is appropriate for litigation of this action since the causes of

action arose in this District;

d. Plaintiffs anticipate no difficulty in the management of this litigation as a

class action; and

e. the Class is readily definable, and prosecution as a class action will

eliminate the possibility of repetitious litigation, while also providing redress for claims that may

be too small to support the expense of individual, complex litigation.

110. For these reasons, a class action is superior to other available methods for the fair

and efficient adjudication of this controversy.

COUNT I: NEGLIGENCE
34
 (As To All Defendants)

111. Plaintiffs repeat and re-allege the allegations contained in the foregoing

paragraphs as if fully set forth herein.

112. Defendants assumed a duty, and had duties imposed upon them by regulations, to

use reasonable care to keep Class members’ credit and debit card, Personal ID, and check

transaction information private and secure. By their acts and omissions described herein,

Defendants unlawfully breached this duty. The Class was damaged thereby.

113. The private information of the Class that was stolen or compromised by the

breach of TJX’s security includes, without limitation, information that was being improperly

stored and inadequately safeguarded in violation of, among other things, industry rules and

regulations. According to The Wall Street Journal on January 19, 2007, “[p]eople familiar with

the situation have said that TJX doesn’t comply with those [industry] requirements.” As further

reported in The Wall Street Journal on May 4, 2007, according to auditors of TJX as well as

industry experts, Defendants failed to comply with specific industry standards governing the

security of credit card and other data.

114. More specifically, Defendants failed to comply with PCI standards including but

not limited to the following:

a. “Requirement 1: Install and maintain a firewall configuration to protect

cardholder data.” Defendants violated this requirement as evidenced by the January 19, 2007

Wall Street Journal article noting TJX’s noncompliance with firewall requirements. Another

article in the Wall Street Journal dated May 4, 2007 noted that TJX “failed to install firewalls . . .

on many of its computers.”

b. “Requirement 3: Protect stored cardholder data.” Defendants violated this

35
requirement as evidenced by, inter alia, the fact that an unauthorized intruder was able to

repeatedly access cardholder data from TJX’s computer systems over a fourteen month period.

c. “Requirement 4: Encrypt transmission of cardholder data across open,

public networks.” Defendants violated this requirement because TJX disclosed that it did not

encrypt payment card and check transaction information prior to April 7, 2004 and possibly even

after April 7, 2004. Moreover, The Wall Street Journal reported on May 4, 2007 that TJX “failed

to install . . . data encryption on many of its computers.” The same article reported that TJX

transmitted unencrypted credit and debit card information to banks during the approval process

for card transactions, and this lack of encryption violated credit card industry guidelines

according to experts.

115. Defendants also failed to comply with Card Operating Regulations, including but

not limited to the following:

a. The “Visa USA Cardholder Information Security Program (CISP),” which

is similar to the PCI standards program.

b. The MasterCard International Bylaws and Rules, section 9.15.3 titled

“Account, Cardholder and Transaction Data Must Be Kept Secure,” which states:

Merchants . . . must keep all systems and media containing MasterCard

account, cardholder, or transaction information (whether physical or
electronic) in a secure manner so as to prevent access by, or disclosure to
any unauthorized party. Merchants . . . must destroy all media not
necessary to retain, in a manner that will render the data unreadable.

Defendants violated this requirement because they failed to maintain customer information in a

“secure manner so as to prevent access by . . . any authorized party.” Defendants also failed to

“destroy all media not necessary to retain.”

c. The MasterCard International Bylaws and Rules, section 9.15.7 titled

36
“Storage of Account, Cardholder, and Transaction Data,” which states:

MasterCard permits storage of only the card account number, expiration

date, cardholder name, and service code, in a secure environment to which
access is limited, and then only to the extent that this data is required for
bona fide purposes and only for the length of time that the data is required
for such purposes.

Defendants violated this requirement because they failed to store cardholder information in a

secure environment to which access was limited. Defendants also stored cardholder information

for longer than necessary to complete the bona fide purpose for which the information was

obtained. For example, TJX stored cardholder information for up to two years, significantly

longer than necessary.

116. The PCI standards and Card Operating Regulations created a duty of reasonable

care and a standard of care that Defendants violated. Defendants’ violations of those standards

and regulations, among others, constitute negligence per se.

117. According to The New York Times on January 19, 2007, Defendant Fifth Third

Bank is the “sponsoring bank that handles TJX’s accounts, which makes it responsible for

ensuring that the retailer [TJX] met the industry’s data security standards.” Fifth Third breached

its duty to ensure that TJX met applicable data security standards as discussed above.

118. The breach of security was a direct and proximate result of Defendants’ failure to

use reasonable care to implement and maintain appropriate security procedures reasonably

designed to protect the nonpublic information of the Class. This breach of security and resulting

unauthorized access to nonpublic information of the Class was reasonably foreseeable by

Defendants, particularly (but not exclusively) in light of Defendants’ knowledge that TJX’s

wireless system, encryption technology, and firewalls were flawed.

119. Moreover, in June 2005, before the security breach at TJX, it was made public
37
that CardSystems Solutions Inc., a provider of credit card processing services, suffered a severe

security breach whereby a hacker accessed its computer systems and compromised nonpublic

information of approximately 40 million consumer credit card account holders. Given the well-

publicized data breach at CardSystems, Defendants TJX and Fifth Third were alerted to the risk

and potential impact of a data intrusion. Thus Defendants should have undertaken adequate

measures to assess or re-assess their computer systems, ensure compliance with industry data

security standards, and otherwise properly safeguard customer data.

120. Defendants were in a special fiduciary relationship with the Class by reason of

their entrustment with credit and debit card information, Personal ID information, and check

transaction information. By reason of this fiduciary relationship, Defendants had a duty of care

to use reasonable means to keep the nonpublic information of the Class private and secure.

Defendants unlawfully breached this duty.

121. Pursuant to Class members’ rights to privacy, Defendants had a duty to use

reasonable care to prevent the unauthorized access, use, or dissemination of Class members’

nonpublic information. Defendants unlawfully breached this duty.

122. Defendants’ failure to comply with industry standards and regulations, the

magnitude of the data breach (the largest in history), the lengthy period during which the

intrusions occurred (beginning at least as early as July 2005 and occurring over at least a fourteen

month period), the lengthy period in which the compromised transactions took place (four years

from December 31, 2002 forward), and the significant delay between the date of the first

intrusion in July 2005 and the date TJX finally discovered the intrusion in December 2006

(eighteen months), all serve as concrete evidence of Defendants’ negligence and other wrongful

conduct in failing adequately to safeguard and monitor TJX’s computer systems to ensure the
38
security of its customers’ personal and financial data.

123. The compromise of the Class’ nonpublic information, and the resulting burden,

fear, anxiety, emotional distress, loss of time spent seeking to prevent or undo any further harm,

and other economic and non-economic damages to the Class were the direct and proximate result

of Defendants’ violations of their duties.

124. Defendants also had a duty to publicly disclose the data compromise in a timely

manner. Timely public disclosure was required so that, among other things, Plaintiffs and Class

members could take appropriate measures to avoid unauthorized charges on their accounts,

cancel or change account numbers on compromised cards, change their drivers’ license numbers

or state and military identification numbers, and monitor their account information and credit

reports for fraudulent activity.

125. Defendants breached this duty by failing to notify the public in a timely manner

that information was compromised. TJX discovered the data intrusion in “mid-December,

2006,” but TJX did not announce the intrusion until approximately one month later on January

17, 2007. TJX delayed announcing the breach until after the busy holiday shopping season, the

period in which the greatest amount of shopping occurs and the greatest amount of revenue is

earned by TJX, relative to its other financial quarters.

126. Class members were harmed by Defendants’ delay because, among other things,

fraudulent charges have been made to Class members’ accounts, and Class members have

incurred time and money to dispute the charges with their banks.

127. Defendants knew or should have known that TJX’s computer systems for

processing and storing credit and debit card, Personal ID, and check transaction information had

security vulnerabilities. Defendants were negligent in continuing such data processing and
39
storage in light of those vulnerabilities and the sensitivity of the data.

128. As a direct and proximate result of Defendants’ conduct, Class members suffered

damages including, but not limited to, those set forth in paragraphs 58-101 above.

129. Plaintiffs and Class members have not in any way contributed to the security

breach at TJX or to the compromise or theft of their personal and financial data.

COUNT II: BREACH OF CONTRACTS TO WHICH PLAINTIFFS

AND CLASS MEMBERS WERE THIRD PARTY BENEFICIARIES
(As To All Defendants)

130. Plaintiffs repeat and re-allege the allegations contained in the foregoing

paragraphs as if fully set forth herein.

131. Upon information and belief, Plaintiffs and the Class are third party beneficiaries

of contracts entered into between TJX and Fifth Third, and/or between Defendants and credit

card associations/networks. These contracts require that Defendants safeguard the personal and

financial information of Plaintiffs and the Class.

132. Defendants breached these contracts, and, as a result of these breaches, Plaintiffs

and the Class have been harmed as alleged herein.

COUNT III: BREACH OF IMPLIED CONTRACTS

(As To Defendant TJX)

133. Plaintiffs repeat and re-allege the allegations contained in the foregoing

paragraphs as if fully set forth herein.

134. When providing personal and financial information to TJX in order to transact

business at TJX’s retail stores, Plaintiffs and the Class entered into implied contracts with TJX

such that TJX would safeguard this information and notify them promptly of any and all theft of

this information.

40
 135. Without such implied contracts, customers (including Plaintiffs and the Class)

would not have used their personal and financial information to transact business with TJX.

136. TJX breached these implied contracts, and, as a result of these breaches, Plaintiffs

and the Class have been harmed as alleged herein.

COUNT IV: UNFAIR TRADE PRACTICES

UNDER MASS. GEN. LAWS CHAP. 93A, § 9
(As To All Defendants and Asserted by All Plaintiffs
Except ACohen Marketing & Public Relations, LLC)

137. This Count is brought by all Plaintiffs (excluding ACohen Marketing & Public

Relations, LLC) on behalf of all Class members other than those that engage in the conduct of

any trade or commerce.

138. Said Plaintiffs repeat and re-allege the allegations contained in the foregoing

paragraphs as if fully set forth herein.

139. Defendants’ retaining sensitive financial and personal information of said

Plaintiffs and the Class (as limited above) for years, and Defendants’ failure to safeguard the

security of such information, as alleged above, constituted unfair or deceptive practices under

Massachusetts General Laws, Chapter 93A, §§ 2, 9.

140. Defendants’ unfair or deceptive practices occurred primarily and substantially in

Massachusetts since TJX is headquartered in Massachusetts, decisions concerning the retention

and safeguarding of customer information were made in Massachusetts, TJX maintains in

Massachusetts all or a substantial part of its computer systems containing such customer

information, and the security breach of its computer systems took place primarily and

substantially in Massachusetts.

141. Said Plaintiffs and the members of the Class (as limited above) have been

41
damaged as a result of Defendants’ unfair practices.

142. Defendants’ conduct was committed willfully, knowingly, in bad faith and in

violation of Chapter 93A, §§ 2, 9.

143. Demand on behalf of the Class (as limited above) has been made upon Defendants

pursuant to Chapter 93A, § 9.

COUNT V: UNFAIR TRADE PRACTICES

UNDER MASS. GEN. LAWS CHAP. 93A, § 11
(As To All Defendants and Asserted by Plaintiff
ACohen Marketing & Public Relations, LLC)

144. This Count is brought by Plaintiff ACohen Marketing & Public Relations, LLC on

behalf of all Class members that engage in the conduct of any trade or commerce as set forth in

Mass. Gen. Laws Chap. 93A, § 11.

145. Said Plaintiff repeats and re-alleges the allegations contained in the foregoing

paragraphs as if fully set forth herein.

146. Defendants’ retaining sensitive financial and personal information of Plaintiff and

the Class (as limited above) for years, and Defendants’ failure to safeguard the security of such

information, as alleged above, constituted unfair or deceptive practices under Massachusetts

General Laws, Chapter 93A, §§ 2, 11.

147. Defendants’ unfair or deceptive practices occurred primarily and substantially in

Massachusetts since TJX is headquartered in Massachusetts, decisions concerning the retention

and safeguarding of customer information were made in Massachusetts, TJX maintains in

Massachusetts all or a substantial part of its computer systems containing such customer

information, and the security breach of its computer systems took place primarily and

substantially in Massachusetts.

42
 148. Said Plaintiff and the members of the Class (as limited above) have been damaged

as a result of Defendants’ unfair practices.

149. Defendants’ conduct was committed willfully, knowingly, in bad faith and in

violation of Chapter 93A, §§ 2, 11.

150. Demand on behalf of the Class (as limited above) has been made upon Defendants

pursuant to Chapter 93A, § 11.

PRAYER FOR RELIEF

WHEREFORE, Plaintiffs, on behalf of themselves and all others similarly situated,

respectfully request the following relief:

A. that this Court certify this action as a Class action pursuant to Federal Rule

of Civil Procedure 23(a) and (b)(3), and appoint Plaintiffs and their counsel to represent the

Class;

B. that this Court enter judgment in favor of Plaintiffs and the Class, and

against Defendants under the legal theories alleged herein;

C. that this Court award damages to Plaintiffs and the Class under the legal

theories alleged herein;

D. that this Court award treble damages, attorneys’ fees and costs to Plaintiffs

and the Class under Mass. Gen. Law Chap. 93A §§ 9(3), 11;

E. that this Court award injunctive relief, including but not limited to: (i) the

provision of credit monitoring and/or credit card monitoring services for the Class; (ii) the

provision of identity theft insurance for the Class; and (iii) the requirement that TJX enhance the

security of its computer system to minimize the likelihood of intrusions in the future;

F. that this Court award attorneys’ fees, expenses, and costs of this suit;
43
 G. that this Court award Plaintiffs and the Class pre-judgment and post-

judgment interest at the maximum rate allowable by law; and

H. that this Court award such other and further relief as it may deem just and

appropriate.

JURY TRIAL DEMAND

Plaintiffs, on behalf of themselves and the Class, demand a trial by jury on all issues so

triable.

44
Dated: December 20, 2007 Respectfully Submitted,

/s/ Sherrie R. Savett /s/ Lester L. Levy

Sherrie R. Savett (admitted pro hac vice) Lester L. Levy (admitted pro hac vice)
Michael T. Fantini (admitted pro hac vice) Emily Madoff
Jon Lambiras (admitted pro hac vice) Danielle Disporto (admitted pro hac vice)
Berger & Montague, P.C. Wolf Popper LLP
1622 Locust Street 845 Third Avenue
Philadelphia, PA 19103 New York, NY 10022
Tel: (215) 875-3000 Tel: (212) 759-4600

Co-Lead Counsel and Co-Lead Counsel and

Settlement Class Co-Lead Counsel for Settlement Class Co-Lead Counsel for
Consumer Track Plaintiffs Consumer Track Plaintiffs

/s/ Ben Barnow

Ben Barnow (admitted pro hac vice)
Barnow & Associates, P.C.
1 North LaSalle, Suite 4600
Chicago, IL 60602
Tel: (312) 621-2000

Settlement Class Co-Lead Counsel for

Consumer Track Plaintiffs

/s/ Jonathan Shapiro /s/ Thomas G. Shapiro

Jonathan Shapiro (BBO # 454220) Thomas G. Shapiro (BBO # 454680)
Stern Shapiro Weissberg & Garin, LLP Robert E. Ditzion (BBO # 660962)
90 Canal Street Shapiro Haber & Urmy LLP
Boston, MA 02114 53 State Street
Tel: (617) 742-5800 Boston, MA 02109
Tel: (617) 439-3939
Co-Liaison Counsel for
Consumer Track Plaintiffs Co-Liaison Counsel for
Consumer Track Plaintiffs

45
 Certificate of Service

I hereby certify that this document filed through the ECF system will be sent
electronically to the registered participants as identified on the Notice of Electronic
Filing (NEF) and paper copies will be sent to those indicated as non registered
participants on December 20, 2007.

/s/ Thomas G. Shapiro

Thomas G. Shapiro

46