TJX Probes Slowly Crawl Along

Written by Evan Schuman
March 15th, 2007

The names of the states investigating TJX, the status of congressional hearings and a federal confirmation are among the latest developments in this huge data breach.

The data breach case of $16 billion retailer TJX is crawling along, with this week delivering to us a handful of pseudo-developments. Those are things that sound like information, but examined closely tell us little new.

The Federal Trade Commission, for example, confirmed that it has been investigating TJX, but wouldn’t say what it has found nor when it started. This would only be news to someone who thought the FTC would not have investigated and that pretty much rules out anyone who understands Washington’s CYA mentality.

Yes, the FTC will make some inquiries, take many months to mull it over and then quietly issue a fine that is near the top of their penalties, which is also coincidentally just shy of what TJX would consider a rounding error. Oh, and the FTC investigation’s details won’t be published, probably under national security headings because it could help Al Qaeda attack the U.S. credit card business. (Snicker now, but just wait and see how close the FTC comes to that wording in six months.)

Ahhhhh, but this country has checks and balances, no? The new majority in the U.S. House of Representatives has pledged to act and act quickly. We’re now told by House staffers that the Energy and Commerce Committee is going to leap into action with hearings in “mid-to-late May” about a proposed data security bill.

Great! So that’s when congressional testimony will reveal the specifics of what happened with TJX, so the rest of the industry can protect itself, right? Well, actually, no. The FTC probe is giving Congress political cover to not investigate TJX, but the hearings will have lots of witnesses to say that data security really needs a lot of work. And money. Don’t forget the money.

Maybe, say the congressional aides, the committee will truly investigate TJX when the FTC probe is over.

Wait. All hope is not lost. What about all of those class-action lawsuits? Surely those depositions will start shedding light? Don’t bet on it. It’s going to take quite a few months before any of those depositions will be taken and, even then, lawyers will want to keep those details quiet until they can negotiate juicy settlements with TJX.

Why? There’s only thing TJX fears more than letting this case get to a jury: letting the full details get to its customers and investors. A last-minute settlement?with a hush clause?is quite likely. To not lose their leverage, lawyers will likely sit on those details as though they’re the crown jewels.

What of our state governments? They’re certainly above political or monetary considerations, right? The multi-state attorney general probe is proceeding, but details coming out are few. We did learn this week some of the not-yet-released states that are participating and that it does appear to be about 34 states involved.

Beyond Massachusetts (who is in charge of the probe) and Rhode Island (which had launched its own probe before giving up and joining the group), states participating include: Alabama; Arkansas; Arizona; California; Colorado; Connecticut; Delaware; Florida; Washington, D.C. (OK, so it’s not really a state. Sue me); Hawaii (Probe ’em, Danno); Illinois; Maine; Maryland; Michigan; Mississippi; Missouri; Montana; Nebraska; Nevada; New Hampshire; New Jersey; New Mexico; North Carolina; North Dakota; Ohio; Oklahoma; Oregon; Pennsylvania (which many years ago proved its insightfulness by grabbing the only “” domain. Everyone else has to add state initials to their domain); South Dakota; Tennessee; Texas; and Vermont.

The Massachusetts case is apparently being run with the help of an all-volunteer executive committee, including representatives from the AG offices from Pennsylvania, Vermont, New Jersey, Arizona, Oregon, Ohio, Florida, Illinois and California.

Those states participating on the executive committee, one source said, often get a shot at additional money for their states. That’s part of the problem. The states have an incentive to negotiate financial arrangements to get money back to state residents, but little incentive to publicly detail the security procedure lapses that caused the breach to happen and, much more importantly, the disclosure of which might prevent similar ones from happening.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.