CASE 10-2

Real-World Case

TJX Security Breach

The TJX Companies, Inc., is the leading off-price apparel and home fashions retailer in the United States
and worldwide, with $16 billion in revenues in 2005, 8 businesses, and more than 2,300 stores, with a
rank of 138 in the most recent Fortune 500 rankings. TJX’s off-price concepts include T.J. Maxx,
Marshalls, HomeGoods, and A.J. Wright, in the United States, Winners and HomeSense in Canada, and
T.K. Maxx in Europe. Bob’s Stores is a value-oriented casual clothing and footwear superstore in the
Northeastern United States. Our off-price mission is to deliver a rapidly changing assortment of quality
brand name merchandise at prices that are 20–60 percent less than department and specialty store
regular prices, every day. Our target customer is a middle to upper-middle income shopper, who is
fashion and value conscious. This customer fits the same profile as a department store shopper, with the
exception of A.J. Wright, which reaches a more moderate-income market, and Bob’s Stores, which
targets customers in the moderate to upper-middle income range.

In mid-December 2006, TJX discovered that a hacker had illegally accessed the network that
handles credit card, debit card, check, and return transactions. The stores affected were T.J. Maxx,
Marshalls, Homegoods, and A. J. Wright stores in the United States and Puerto Rico. The stores affected
in Canada were HomeSense and Winners.

Current reports indicate the hacker had access from a time in July 2005 to mid-December 2006. Along
with credit and debit card numbers that were stolen, some driver’s license numbers with names and
addresses were compromised. As the ongoing investigation continues there is concern that even stores
in the United Kingdom are affected.

The announcement to the public occurred about one month after the breach was dis- covered.
Once the breach was discovered, the areas that allowed for the network breach were closed. Law
enforcement along with external security experts was called in to investigate and evaluate the breach
and how to prevent it in the future. The cost for this breach and subsequent cleanup will be large.
Affected TJX customers are being notified, banks are reissuing credit cards, and the security consulting
and intrusion detection around the breach is going to be expensive in addition to the fraudulent activity
related to the stolen numbers. A breach like this may last for years and affect consumers over the next
five years or longer.

Breaches like TJX are more common with today’s increased e-commerce and e-Business.
Networks, servers, and services are constantly being stressed to look for weak links. Information
technology security systems are in need of constant scrutiny by companies engaged in storing of
personal information. In the TJX case, the costs involved in correcting the security hole and the ongoing
investigation, along with notifying consumers, may also see a loss of sales revenue. Current analysis is
not conclusive, but as time goes by consumers may lack trust in businesses that do not appropriately
safeguard consumer identities from fraudulent activities.

CASE QUESTIONS

1. What are the costs involved in the TJX network breach?

2. As this investigation unfolds, research the additional costs or loss of revenue to TJX and the credit
card companies involved.

3. What should TJX have done to prevent this breach from occurring? Could they have stopped it?