TJX Cos. has agreed to pay $9.7 million in a settlement with 41 states over a computer breach that left millions of consumers vulnerable to identity theft, Pennsylvania Attorney General Tom Corbett said.

The settlement resolves claims that TJX failed to take sufficient steps to protect consumer information, Corbett said in a press release Monday. The agreement will lead to the creation of a $2.5 million national fund to investigate future data security breaches.

"This multistate investigation was triggered by the largest computer security breach ever reported," Corbett said. "Every time someone swiped a credit card or debit card at a store operated by TJX, their information was funneled directly to hackers."

TJX, of Framingham, Mass., reported in January 2007 that hackers broke into its computer system and stole about 45.7 million credit and debit card numbers.

The deal also requires TJX to upgrade and test its security system and regularly report results to attorneys general nationwide.

TJX first reported the settlement with attorneys general in June.

"TJX firmly believes that it did not violate any consumer protection or data security laws," the company said last month.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.