TJX: The Unsurpassed Geniuses At Playing Dumb

Written by Evan Schuman
October 11th, 2007

As I look back at the 10 months of this soap opera known as the TJX data breach—the biggest ever, in case someone forgot—I keep being reminded of a wonderful piece of dialogue in the 1990s TV show, The West Wing.

One of the characters—a White House deputy communications director named Sam Seaborn—was arguing with another character when she told him, "Don’t play dumb with me." He replied: "I’m not playing dumb. I really am dumb. Most of the time, I’m playing smart."

The TV joke was that this character truly was smart and was a smart guy playing dumb beneath playing smart. (Shades of Victor/Victoria but let’s not go there.) This brings us back to TJX.

Before the breach, TJX was seen as a very smart, very well-positioned $17 billion retailer, sitting atop an especially attractive North American retail niche.

But since the breach–where the credit card data of some 46 million consumers fell into unauthorized hands—the company seemed to have made PR blunder after blunder. And yet, their financial health could hardly be better. Revenue and every key metric has improved since the breach’s announcement and the negotiated settlement with consumers suing TJX is likely to be approved and it’s extremely favorable to TJX.

When TJX learned of the breach in mid-December and kept silent until mid-January—when it was able to finish its wireless security upgrade—that now seems clever. When it announced that ultra-favorable initial version of the settlement late on a Friday night (after sundown on the eve of Yom Kippur), it even caught the judge unaware. Another coincidence, or were they really trying to bury the news?

When a large number of customer’s driver’s license data was grabbed in the heist, TJX asked its consumers to get their state motor vehicle departments to put a watch on their licenses. That was a move that would do relatively little to protect the consumer (the critical data—name, home address, sometimes Social Security number, photo, physical description, signature, etc.—would be gone for good and is very difficult to change), but it did have the potential for causing problems for those same consumers. If they’re pulled over for a faulty taillight, they will almost certainly be held by authorities to verify their identity.

Recently, in making court arguments for the settlement, attorneys said the vouchers could be sold on EBay and converted into cash that way.

The judge overseeing the case strongly did not like that suggestion: "Too hard for me. These are consumers. People know how to cash checks. Saying ‘Go to eBay and negotiate it’ won’t cut it.""

But the judge wasn’t alone. The comment drove crazy several retail security experts, who have been campaigning aggressively to stop retail vouchers for being fraudulently sold on auction sites such as EBay. To have TJX explicitly encourage that, some have said, is mind-boggling.

For the record, the TJX legal fallout from the breach isn’t over yet. The consumer settlement still needs to be approved, but that now seems quite likely. A class-action lawsuit against TJX by quite a few banks and other financial institutions is slated for arguments next week.

A U.S. House of Representatives effort to hold hearings has been repeatedly postponed, but if those hearings do happen, there could be federal legislation behind to criminalize weak security when protecting consumer information. And the group of state Attorneys General has yet to release its report and that may have an impact on TJX, although it’s not likely.

Has TJX’s persistent silence on key details about the breach been based on shrewd legal acumen or the retail marketing reality that "Sticks and Stones may break my bones but consumers couldn’t care less about data security."

TJX knew going into this case that they had the much stronger legal position—because no consumers lost meaningful dollars. With the exception of the bank lawsuit, TJX hasn’t had any reason to answer nosey security questions.

As for the driver’s license and EBay comments, apathy begets apathy.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.