There's a point where tragedy morphs into farce. The T.J. Maxx scandal has reached that point.
A couple weeks ago, I used this space to describe the massive consumer data breach first suffered by, then concealed by, mega-retailer TJX (NYSE:TJX) -- better known by its trade names such as T.J. Maxx, Marshalls, and HomeSense. In mid-December of 2006, an unidentified person hacked into a TJX computer network that stores credit and debit card numbers and customer merchandise returns (including names, addresses, and driver's license data of customers returning merchandise without receipts).
After discovering the breach, TJX notified law enforcement, alerted credit card providers such as American Express (NYSE:AXP), MasterCard (NYSE:MA), and Visa, and hired General Dynamics and IBM (NYSE:IBM) to beef up its computer security. So don't get me wrong -- the firm did a fine job of containing the damage. By quickly notifying the credit card companies, TJX may have prevented all but the fleetest of criminals from racking up fraudulent charges. And after listening to chairman, founder, and then-acting-CEO Ben Cammarata's latest message to customers (released Tuesday), I'm persuaded by his logic that, because most of the data stolen was limited to charge card numbers and expiration dates, full-blown identity theft may not result from this incident. For that, you need Social Security numbers, names, addresses, and other personally identifiable information.
The problem, it seems to me -- the farcical side of this -- is that despite TJX taking all the correct, logical steps to deal with the problem, it's still faced with a major public relations disaster, and one of its own making. By sitting on the news of the breach for one month, the firm started off on the wrong foot with its customers. And by refusing to provide full details on the theft, TJX raises more questions than answers to basic questions such as how many customers are at risk. For example:
- TJX says it's against policy to ask customers for their Social Security numbers -- but in a firm with 120,000 "associates," isn't it likely that a few of these people do indeed request and record those numbers when, for example, accepting payment by check?
- The Wall Street Journal says as many as 40 million customer records may have been compromised. TJX says only a "small number" of customers' driver's license numbers, names, and addresses were stolen. But relative to "40 million," how small is small? Four? Forty thousand? Four million? Six weeks after the theft took place, we still don't know.
It also doesn't help that Cammarata sounds disingenuous when arguing that: "Based on the type of data involved in the breach of our systems, we don't believe that [TJX paying for credit monitoring] will be meaningful to customers." It's true that credit monitoring may not detect fraudulent purchases per se. But the statement seems a bit silly in light of the fact that fraudulent purchases from around the globe have already been traced back to the breach. This may not meet the technical definition of "identity theft," but it sure feels like it to the victims.
Moreover, we all know the real reason that TJX won't pay for credit monitoring isn't because it fears its customers will find the service "not meaningful" -- but because TJX doesn't want to pay for it. Using a few data points, at an annual cost of, say, $50 per person, providing credit monitoring to 40 million endangered customers could cost the firm $2 billion. I suspect that's why victims of smaller breaches, such as those suffered at ChoicePoint (NYSE:CPS) and AT&T (NYSE:T) recently, are enjoying the protection today -- while TJX customers are left out in the cold.
Concerned about identity theft? Motley Fool Green Light did a special issue on the subject back in October, in which we included a primer on how to deal with situations like the one discussed above. Take a free trial to the service and you can read all about it.
Fool contributor Rich Smith does not own shares of any company named above. MasterCard is an Inside Value recommendation.
