There's a point where tragedy morphs into farce. The T.J. Maxx scandal has reached that point.
A couple weeks ago, I used this space to describe the massive consumer data breach first suffered by, then concealed by, mega-retailer TJX
After discovering the breach, TJX notified law enforcement, alerted credit card providers such as American Express
The problem, it seems to me -- the farcical side of this -- is that despite TJX taking all the correct, logical steps to deal with the problem, it's still faced with a major public relations disaster, and one of its own making. By sitting on the news of the breach for one month, the firm started off on the wrong foot with its customers. And by refusing to provide full details on the theft, TJX raises more questions than answers to basic questions such as how many customers are at risk. For example:
- TJX says it's against policy to ask customers for their Social Security numbers -- but in a firm with 120,000 "associates," isn't it likely that a few of these people do indeed request and record those numbers when, for example, accepting payment by check?
- The Wall Street Journal says as many as 40 million customer records may have been compromised. TJX says only a "small number" of customers' driver's license numbers, names, and addresses were stolen. But relative to "40 million," how small is small? Four? Forty thousand? Four million? Six weeks after the theft took place, we still don't know.
It also doesn't help that Cammarata sounds disingenuous when arguing that: "Based on the type of data involved in the breach of our systems, we don't believe that [TJX paying for credit monitoring] will be meaningful to customers." It's true that credit monitoring may not detect fraudulent purchases per se. But the statement seems a bit silly in light of the fact that fraudulent purchases from around the globe have already been traced back to the breach. This may not meet the technical definition of "identity theft," but it sure feels like it to the victims.
Moreover, we all know the real reason that TJX won't pay for credit monitoring isn't because it fears its customers will find the service "not meaningful" -- but because TJX doesn't want to pay for it. Using a few data points, at an annual cost of, say, $50 per person, providing credit monitoring to 40 million endangered customers could cost the firm $2 billion. I suspect that's why victims of smaller breaches, such as those suffered at ChoicePoint
Concerned about identity theft? Motley Fool Green Light did a special issue on the subject back in October, in which we included a primer on how to deal with situations like the one discussed above. Take a free trial to the service and you can read all about it.
Fool contributor Rich Smith does not own shares of any company named above. MasterCard is an Inside Value recommendation.