TJX Database Breach Sparks Class-Action Law Suits

Special Edition - National Consumer Protection Week

February 2007

Consumers braced themselves for another round of identity theft roulette when, in mid-January, TJX Companies announced that its computer system had been hacked.  TJX is the parent company to popular retailers T.J. Maxx, Marshalls, HomeGoods, HomeSense, Winners and A.J. Wright.  The infiltrated systems contained data from credit card, debit card, check and return transactions that occurred in U.S., Canadian and Puerto Rican stores in 2003 or during the period from mid-May through Dec. 2006.  Consumer information generated through transactions that occurred in the U.K. and Ireland may also have been stolen.

Unlike many security breaches, there was no question what the TJX hackers were after.  Shortly following the company’s announcement of the breach, the Massachusetts Bankers Association reported that 28 of its member banks had experienced some sort of fraud among member accounts.  That number quickly grew to 60, meaning that somehow, somebody was using the stolen information to make illegal purchases.

TJX never disclosed exactly how much customer information was exposed, but the president of the New Hampshire Bankers Association claimed as many as 20 to 30 percent of New Englanders may have been affected.  The Wall Street Journal estimated the number could be as high as 40 million people.  TJX officials countered that the actual number was “substantially less” than what the Journal reported, but didn’t offer any specifics.

Round One of the Fallout

Now, TJX faces what communications experts are calling a public relations disaster.  The chairman of the House Subcommittee on Telecommunications and the Internet, Rep. Ed Markey (D-Mass.), has asked the Federal Trade Commission to intervene and investigate exactly what happened.

Meanwhile, two federal class-action lawsuits have been filed against the company in Boston—one from a West Virginia woman and the other from a bank in Alabama.  Consumer Paula Mace alleges that the breach constituted negligence.  Mace had shopped at a T.J. Maxx store in December 2006 and used a debit card to pay for her purchases.  By mid-January, she was notified by her bank that her debit card had been exposed to thieves.  Though Mace appears to have had no money stolen from her account, she claims that her privacy rights were violated and that she was exposed to risk of credit card fraud and identity theft.  Her complaint claims that the breach was “reasonably foreseeable” and resulted from TJX’s failure to use appropriate data security procedures.  It also criticizes the company’s decision to wait a month before announcing the data breach.

The Alabama lawsuit, filed by the bank AmeriFirst, is seeking to recover the costs of replacing compromised credit cards for its customers.  The bank says it has identified 150 of its customers who will need to have credit or debit cards replaced at a cost of $20 each.  The bank has also named as a defendant the Ohio-based Fifth Third Bank, which processes debit and credit transactions for TJX.  This suit could likely start a cascade effect.

The Company’s Communications

Responding to a constant stream of media publicity, TJX is in full damage-control mode.  On Sunday, Jan. 28, it took out a full-page ad which ran for several days in two prominent Boston daily newspapers.  Featuring a statement from chair Ben Cammarata, the ad defended the company’s decision to wait a month to disclose details of the breach.  “By delaying a public announcement ...we were able to contain the problem and further strengthen our computer network to prevent further intrusion," Cammarata wrote.  "Therefore, we believe we were working in the best interests of our customers.” 

Nevertheless, some observers say that Cammarata’s statement didn’t go far enough.  David Rosenbaum, an editor at CIO Magazine asks “Wouldn’t it be better to just say you’re sorry, Ben?  To come out and admit that TJX screwed up royally and you’re going to try to make it right with all the customers whose personal data your company’s incompetence has compromised?”

TJX compounded its PR woes early on, when corporate officials characterized TJX as a “victim” in a press release issued soon after the breach was disclosed.  “We think it’s a little odd that they would characterize themselves as victims when it appears they may have been capturing data that was unnecessary,” said Massachusetts Bankers Association CEO and President Daniel J. Forte in a prepared statement.

VISA’s institutional rules expressly prohibit retailers from retaining debit and credit card information.  As Forte explained, “After that the transaction clears, there is no reason to store that data.”

TJX still has much to explain and potentially enormous legal obligations to sort out.  At the very least, it ought to offer exposed customers fraud and credit monitoring services.  For those whose information has been misappropriated, the company should go a step further and offer some type of resolution services so that people can get their lives and finances back in order—and even feel comfortable shopping at T.J. Maxx and Marshalls once again.

The unfolding TJX saga is truly a cautionary tale for retailers, bankers and consumers as we reflect upon the message of National Consumer Protection Week.