The parent company of Massachusetts-based retailer T.J. Maxx has reached a settlement with 41 states over a data breach that exposed an estimated 94 million credit-card and debit-card numbers nationwide to hackers.

The parent company of Massachusetts-based retailer T.J. Maxx has reached a settlement with 41 states over a data breach that exposed an estimated 94 million credit-card and debit-card numbers nationwide to hackers.

Oregon Attorney General John Kroger announced the deal with TJX Companies Tuesday. T.J. Maxx has operated a store at Medford's Bear Creek Plaza shopping center since 1996.

The settlement involves what is believed to be the largest ever data breach for a merchant. Hackers intercepted an estimated 94 million credit-card and debit-card numbers between 2005 and 2007.

Anyone in Oregon who used a credit or debit card to purchase goods from T.J. Maxx or affiliated Marshalls stores in that time frame could have been affected. Under the agreement, TJX must:

Upgrade all wired equivalency privacy based wireless systems in TJX retail stores to wired systems or Wi-Fi protected access wired systems. No longer store credit-card or debit-card data on its network any longer than necessary for legitimate business purposes. Separate the rest of the TJX computer system from the network-based portions of the TJX computer system that store, process or transmit personal information by firewalls and access controls. Must implement security-password management for portions of the TJX computer system that store, process or transmit personal information.