TJX Security Breach Response

When you read “The TJX Companies, Inc. V.A.L.U.E. Corporate Social Responsibility Report 2013” and see Carol Meyrowitz’s letter, you would never believe the crisis that rocked the company in 2008 ever happened. This case illustrates one difference between companies that learn, change, and grow, and those that do not.

TJX seems to practice its VALUE proposition, “Vendor Social Compliance, Attention to Governance, Leveraging Differences, United With Our Communities and Environmental Initiatives.” Forbes reported in 2013 that the TJX Companies (NYSE: TJX) has taken over the #95 spot from Capital One Financial Corp (NYSE: COF). Although the company, as with several other retailers, could improve its customer satisfaction index score, it has recovered from the 2008 crisis recounted here.[1]

On January 17, 2008, TJX Companies, Inc., a leading retailer in the field of clothing and home fashions that operates stores domestically and internationally, announced that the organization had experienced an unauthorized intrusion of its computer systems.[2] Customer information, including credit card, debit card, and driver’s license numbers, had been compromised. This intrusion had been discovered in December of 2006, and it was thought that data and information as far back as 2003 had been accessed and/or stolen. At the time, approximately 45.6 million credit card numbers had been stolen. In October of 2007, the number rose to 94 million accounts.[3] This is one of the largest credit card thefts or unauthorized intrusions in recent history.

Because of the lax security systems at TJX, the hackers had an open doorway to the company’s entire computer system. In 2005, hackers used a laptop outside of one of TJX’s stores in Minnesota and easily cracked the code to enter into the Wi-Fi network. Once in, the hackers were able to access customer databases at the corporate headquarters in Framingham, Massachusetts. The hackers gained access to millions of credit 

card and debit card numbers, information on refund transactions, and customer addresses and phone numbers. The hackers reportedly used the stolen information to purchase over $8 million in merchandise.[4]

TJX used an outdated WEP (wired equivalent privacy) to secure its networks. In 2001, hackers were able to break the code of WEP, which made TJX highly vulnerable to an intrusion. (Similar data breaches have occurred within the past few years at the firms ChoicePoint and CardSystems Solutions.) In August of 2007, a Ukrainian man, Maksym Yastremskiy, was arrested in Turkey as a potential suspect in the TJX case. According to police officials, Yastremskiy is “one of the world’s important and well-known computer pirates.”[5] He led two other men in the scheme.[6]

Even though the intrusion was discovered in December of 2006, the company did not publicize it until a month later. Consumers felt that they should have been notified of the breach once it was discovered. However, TJX complied with law enforcement and kept the information confidential until it was told it could notify the public. Retail companies such as TJX that use credit card processing are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of requirements with the purpose of maximizing the security of credit and debit card transactions. A majority of firms have not complied with this standard, as was the case with TJX.

A number of stakeholders were involved in this break-in: consumers, who were put at great risk; banks; TJX (its shareholders, management, employees, and other internal parties who did business with and were invested in the firm); the credit card companies; the law enforcement and justice systems; the public; other retail firms; and the media, to name a few. Chief executive officer (CEO) Carol Meyrowitz took an active role in informing the public in statements on the company’s web sites and through the media about the company’s responsibility and obligations to its stakeholders during and after the investigation. TJX also contacted various agencies to help with the investigation. A web site and hotline were established to answer customer questions and concerns.

The intrusion cost TJX approximately $118 million in after-tax cash charges and $21 million in future charges. Although TJX incurred substantial legal, reimbursement, and improvement costs, the company’s pretax sales were not negatively affected. Sales during the second quarter of fiscal year 2008 increased compared to second quarter sales from fiscal year 2007.[7]

At the end of 2007, TJX reached a settlement agreement with six banks and bankers’ associations in response to a class action lawsuit against the company.[8] In the spring of 2008, TJX settled in separate agreements with Visa ($40.9 million with 80% acceptance) and MasterCard International (a maximum of $24 million with 90% minimum acceptance). There was almost full acceptance of the alternative recovery offers by eligible MasterCard accounts.[9] Note that those issuers who accept the agreements and terms “release and indemnify TJX and its acquiring banks on their claims, the claims of their affiliated issuers, and those of their sponsored issuers as MasterCard issuers related to the intrusion. That includes claims in putative class actions in federal and Massachusetts state courts.”[10]

Affected customers were reimbursed for costs such as replacing their driver’s licenses and other forms of identification and were offered vouchers at TJX stores and free monitoring of their credit cards for three years. Customer discontent was reportedly expressed after the intrusion; however, customer loyalty returned,[11] as was evidenced in sales numbers.


[1]TJX’s V.A.L.U.E: Corporate social responsibility report 2013 is available at http://www.tjx.com/images/corp_resp/pdf/TJX2013_CSR_online.pdf, accessed January 6, 2014. See also TJX Companies now #95 largest company, surpassing Capital One Financial. (2013). Forbes.comhttp://www.forbes.com/sites/dividendchannel/2013/09/18/tjx-compa-nies-now-95-largest-company-surpassing-capital-one-financial/, accessed January 6, 2014.

[2]The TJX Companies, Inc. victimized by computer systems intrusion; provides information to help protect customers. (January 17, 2007). Business Wire News Releaseshttp://finance.boston.com/boston/news/read/911239/the_tjx_companies, accessed February 3, 2014.

[3]Visa fines TJX credit card processor. (October 29, 2007). SC Magazinehttp://www.scmagazine.com/visa-fines-tjx-credit-card-processor/article/58255/, accessed January 6, 2014.

[4]Lemos, R. (March 30, 2007). TJX theft tops 45.6 million card numbers. Security-Focushttp://www.securityfocus.com/news/11455, accessed January 6, 2014.

[5]Kerber, R. (August 21, 2007). Suspect named in TJX credit card probe. Boston.comhttp://www.boston.com/business/personalfinance/articles/2007/08/21/suspect_named_in_tjx_credit_card_probe/, accessed January 6, 2014.

[6]Goodin, D. (May 13, 2008). TJX credit card heist suspect, 2 others, accused of new scam. Registerhttp://www.theregister.co.uk/2008/05/13/trio_accused_in_carding_scam/, accessed January 6, 2014.

[7]The TJX Companies, Inc. reports strong second quarter FY08 operating results; Estimates liability from computer systems intrusion(s). (August 14, 2007). The TJX Companies, Inc. via Business Wire News Releaseshttp://finance.boston.com/boston/news/read/2899835/the_tjx_companies, accessed February 3, 2014.

[8]Bangemen, E. (May 6, 2007). Blame for record-breaking credit card data theft laid at the feet of WEP. Ars Technicahttp://arstechnica.com/news.ars/post/20070506-blame-for-record-breaking-credit-card-data-theft-laid-at-the-feet-of-wep.html, accessed January 6, 2014.

[9]Lemos, op. cit.

[10]News on Archives. (March 26, 2008). TJX Cos. settles with MasterCard. http://www.cuna.org/newsnow/archive/list.php?date=040308#35511, accessed February 3, 2014.

[11]Code of ethics for TJX executives. (n.d). http://www.tjx.com/files/pdf/corp_resp/Code%20of%20Ethics%20for%20TJX%20Executives.pdf, accessed February 9, 2012.

Review the case study “The TJX Companies, Inc. V.A.L.U.E. Corporate Social Responsibility Report 2013,” which can be found in Chapter 4 of the textbook. You will analyze this case study with a team of your peers and then submit a joint case study analysis for grading. How your team works together to arrive at your joint analysis will be demonstrated through your group’s assigned discussion forum. Begin by selecting one member to lead the group and then formulate a plan to complete the work. The leader will be the one who eventually submits the group’s paper.

Your submission should address the following:
How has TJX responded to the compliance issues involved in this case?
Did TJX display a strategy in their response?
Discuss how the timing of the response impacted stakeholders and the TJX corporate brand. Did TJX keep the needs of stakeholders a priority in their decision-making process in the case?
Describe the short- and long-term effects of the case on the business sustainability.

TJX responded technically to the situation at hand by immediately hiring leading computer security and crisis companies to assess and determine the magnitude of the breach and assist in the investigation. To ensure that the corporation followed the country’s laws and regulations, it informed the government agencies involved, which include the secret service, department of justice, federal trade commission and securities and exchange commissions, who later advised the company to go public on the crisis (The TJX Companies, 2013). In so doing, the company adhered to compliance expectations. The company was strategic in its approach towards the crisis, considering that they followed the right channels of handling such a situation. By informing government agencies and undertaking information, the company would have the accurate information about the crisis given to other stakeholders, thus limiting the number of emerging questions (Xu, Grant, Nguyen, & Dai, 2008).

Although most people believe that the company should have informed the stakeholders of the breach immediately, the timing of the firm was appropriate since, by the time of going public, the concerned agencies were aware and concrete details about the crisis available after the investigation. The timing, however, affected the confidence of the stakeholders on the company’s capability to keep their information safe, thus negative affecting brand quality (Garcia, 2013). The core reason for the negative impact is the failure of the business to prioritize on stakeholder needs during the decision-making the process as they concentrated on legal matters over customer satisfaction….

Order a Similar or Custom Paper from our Writers