This story appeared on Network World at
TJX security breach aftermath: a case study in what to do wrong
By Scott Bradner, Network World, 01/29/07
Late week I wrote about what retailer TJX had done wrong leading up to its recent widely reported security lapse. This week's column is about what TJX has done wrong since the lapse was discovered.
In spite of full-page ads in the Boston Globe and Boston Herald in the last two days, the extent of the security lapse is still not known because TJX has steadfastly refused to provide any concrete information. The lack of information provides fertile ground for speculation -- for example, published reports last week that as many as 30% of all New Englanders may have been impacted. On Jan. 26, TJX announced it had hired John Gilbert, formerly with Dunkin' Donuts, as chief marketing officer. Maybe he is smart enough to understand that stonewalling is the worst possible reaction to a problem. Everything will come out in the end, and in this case it may come out with the president of TJX testifying on national TV in front of Congress. It is far better to provide more information than is being requested so it does not look like you are covering up.
Maybe TJX feels it cannot do this because it is covering up. Originally TJX maintained that it delayed making a public announcement at the request of law enforcement only to later admit the delay was in part a "business decision" and now, in the ads, the company says it was "in the best interest of our customers." Yeah -- the best interest of customers was to keep them in the dark until they finished their Christmas shopping. In the end, TJX only admitted to a problem after the first Wall Street Journal report.
TJX has still not said how many cards were exposed, yet some information must exist because banks are quite busy contacting their customers and replacing cards (including my wife's). At the very least, TJX could tell its customers -- the folks whose trust it has to retain in order to stay in business -- what TJX told the banks. Delaying will increase rather than decrease the pain when the numbers do come out.
Unlike most organizations that have had similar, although far smaller, breaches, TJX has not said it would protect customers by buying credit watch services for them. I expect the company will have to do so at some point but because it is delaying so long, it's clear that protecting customers has not been a concern for TJX and it will only do so when forced.
TJX has not admitted that it was not compliant with the PCI security standards nor has the company committed to becoming compliant in the new ads. Visa's security requirements say that merchants the scale of TJX had to be compliant with the security standards by Sept. 30, 2004. If Visa had any courage it would give TJX a short fixed period of time to become compliant (say, 30 days from the breach discovery) or be stopped from accepting Visa cards.
The PCI standard requires merchants to "limit storage amount and retention time [of cardholder data] to that which is required for business, legal, and/or regulatory purposes." TJX has not said it has or will destroy the data retained in excess of this standard.
In short, TJX has said squat of any consequence. It will continue to be raked over the coals for that. It would have been so easy to do what Johnson & Johnson did after the 1982 Tylenol deaths -- get in front of the issue and stay there. But TJX decided to hide its head in the sand instead -- a very poor decision, but a good case study in what not to do.
Disclaimer: I can only guess if the Harvard Business School will a develop a case study about TJX or what one would say, so the above review must be mine.