Analyze the case study – addressing the following question:
- How has TJX responded to the compliance issues involved in this case?
When you read “The TJX Companies, Inc. V.A.L.U.E. Corporate Social Responsibility Report 2013” and see Carol Meyrowitz’s letter, you would never believe the crisis that rocked the company in 2008 ever happened. This case illustrates one difference between companies that learn, change, and grow, and those that do not.
TJX seems to practice its VALUE proposition, “Vendor Social Compliance, Attention to Governance, Leveraging Differences, United With Our Communities and Environmental Initiatives.” Forbes reported in 2013 that the TJX Companies (NYSE: TJX) has taken over the #95 spot from Capital One Financial Corp (NYSE: COF). Although the company, as with several other retailers, could improve its customer satisfaction index score, it has recovered from the 2008 crisis recounted here.
On January 17, 2008, TJX Companies, Inc., a leading retailer in the field of clothing and home fashions that operates stores domestically and internationally, announced that the organization had experienced an unauthorized intrusion of its computer systems. Customer information, including credit card, debit card, and driver’s license numbers, had been compromised. This intrusion had been discovered in December of 2006, and it was thought that data and information as far back as 2003 had been accessed and/or stolen. At the time, approximately 45.6 million credit card numbers had been stolen. In October of 2007, the number rose to 94 million accounts. This is one of the largest credit card thefts or unauthorized intrusions in recent history.
Because of the lax security systems at TJX, the hackers had an open doorway to the company’s entire computer system. In 2005, hackers used a laptop outside of one of TJX’s stores in Minnesota and easily cracked the code to enter into the Wi-Fi network. Once in, the hackers were able to access customer databases at the corporate headquarters in Framingham, Massachusetts. The hackers gained access to millions of credit card and debit card numbers, information on refund transactions, and customer addresses and phone numbers. The hackers reportedly used the stolen information to purchase over $8 million in merchandise.
TJX used an outdated WEP (wired equivalent privacy) to secure its networks. In 2001, hackers were able to break the code of WEP, which made TJX highly vulnerable to an intrusion. (Similar data breaches have occurred within the past few years at the firms ChoicePoint and CardSystems Solutions.) In August of 2007, a Ukrainian man, Maksym Yastremskiy, was arrested in Turkey as a potential suspect in the TJX case. According to police officials, Yastremskiy is “one of the world’s important and well-known computer pirates.” He led two other men in the scheme.
Even though the intrusion was discovered in December of 2006, the company did not publicize it until a month later. Consumers felt that they should have been notified of the breach once it was discovered. However, TJX complied with law enforcement and kept the information confidential until it was told it could notify the public. Retail companies such as TJX that use credit card processing are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of requirements with the purpose of maximizing the security of credit and debit card transactions. A majority of firms have not complied with this standard, as was the case with TJX.
A number of stakeholders were involved in this break-in: consumers, who were put at great risk; banks; TJX (its shareholders, management, employees, and other internal parties who did business with and were invested in the firm); the credit card companies; the law enforcement and justice systems; the public; other retail firms; and the media, to name a few. Chief executive officer (CEO) Carol Meyrowitz took an active role in informing the public in statements on the company’s web sites and through the media about the company’s responsibility and obligations to its stakeholders during and after the investigation. TJX also contacted various agencies to help with the investigation. A web site and hotline were established to answer customer questions and concerns.
The intrusion cost TJX approximately $118 million in after-tax cash charges and $21 million in future charges. Although TJX incurred substantial legal, reimbursement, and improvement costs, the company’s pretax sales were not negatively affected. Sales during the second quarter of fiscal year 2008 increased compared to second quarter sales from fiscal year 2007.
At the end of 2007, TJX reached a settlement agreement with six banks and bankers’ associations in response to a class action lawsuit against the company. In the spring of 2008, TJX settled in separate agreements with Visa ($40.9 million with 80% acceptance) and MasterCard International (a maximum of $24 million with 90% minimum acceptance). There was almost full acceptance of the alternative recovery offers by eligible MasterCard accounts. Note that those issuers who accept the agreements and terms “release and indemnify TJX and its acquiring banks on their claims, the claims of their affiliated issuers, and those of their sponsored issuers as MasterCard issuers related to the intrusion. That includes claims in putative class actions in federal and Massachusetts state courts.”
Affected customers were reimbursed for costs such as replacing their driver’s licenses and other forms of identification and were offered vouchers at TJX stores and free monitoring of their credit cards for three years. Customer discontent was reportedly expressed after the intrusion; however, customer loyalty returned, as was evidenced in sales numbers.
TJX’s V.A.L.U.E: Corporate social responsibility report 2013 is available at http://www.tjx.com/images/corp_resp/pdf/TJX2013_CSR_online.pdf, accessed January 6, 2014. See also TJX Companies now #95 largest company, surpassing Capital One Financial. (2013). Forbes.com. http://www.forbes.com/sites/dividendchannel/2013/09/18/tjx-compa-nies-now-95-largest-company-surpassing-capital-one-financial/, accessed January 6, 2014.
The TJX Companies, Inc. victimized by computer systems intrusion; provides information to help protect customers. (January 17, 2007). Business Wire News Releases. http://finance.boston.com/boston/news/read/911239/the_tjx_companies, accessed February 3, 2014.
Visa fines TJX credit card processor. (October 29, 2007). SC Magazine. http://www.scmagazine.com/visa-fines-tjx-credit-card-processor/article/58255/, accessed January 6, 2014.
Kerber, R. (August 21, 2007). Suspect named in TJX credit card probe. Boston.com. http://www.boston.com/business/personalfinance/articles/2007/08/21/suspect_named_in_tjx_credit_card_probe/, accessed January 6, 2014.
Goodin, D. (May 13, 2008). TJX credit card heist suspect, 2 others, accused of new scam. Register. http://www.theregister.co.uk/2008/05/13/trio_accused_in_carding_scam/, accessed January 6, 2014.