The parent company of Massachusetts-based retailer T.J. Maxx has reached a settlement with 41 states over a data breach that exposed an estimated 94 million credit and debit card numbers nationwide to hackers.

The parent company of Massachusetts-based retailer T.J. Maxx has reached a settlement with 41 states over a data breach that exposed an estimated 94 million credit and debit card numbers nationwide to hackers.

Oregon Attorney General John Kroger announced the deal with TJX Companies today. T.J. Maxx has operated a store at Medford's Bear Creek Plaza shopping center since 1996.

The settlement involves what is believed to be the largest ever data breach by a merchant. Hackers intercepted an estimated 94 million credit and debit card numbers between 2005 and 2007.

Anyone in Oregon who used a credit or debit card to purchase goods from T.J. Maxx or affiliated Marshalls stores in that time frame could have been affected.

Under the agreement, TJX must: upgrade all wired equivalency privacy based wireless systems in TJX retail stores to wired systems or Wi-Fi protected access wired systems; no longer store credit card or debit card data on its network any longer than necessary for legitimate business purposes; and separate the rest of the TJX computer system from the network-based portions of the TJX computer system that store, process or transmit personal information by firewalls and access controls.

The retailer also must implement security password management for portions of the TJX computer system that store, process or transmit personal information.

— Greg Stiles