TJX’s Settlement: Marketing Chutzpa At Its Best

Written by Evan Schuman
September 22nd, 2007

Only TJX could take a lawsuit settlement from the worst retail data breach ever and try and turn it into an upsell situation.

TJX’s multi-part settlement of all of the consumer lawsuits against it for its massive data breach is a fascinating denouement to the TJX saga. What makes this latest twist so delicious is that TJX has played this debacle the way a retailer should, assuming the retailer is Niccolo Machiavelli.

When admitting to a massive databreach impacting some 46 million of your customers and when also conceding by implication that much of it was your fault given inadequate security measures, most companies would be chagrined, embarrassed and perhaps even a little bit ashamed.

How many would have the pureness of purpose to try and turn it into an upsell situation? When agreeing to pay cash?albeit tiny amounts?to your wronged customers, what would be a better example of Machiavellian marketing than to offer consumers the money only for in-store credit and of such an amount ($30) that many will likely spend more than the coupon?

Or as a way to make amends to the identity-less, offering to throw them a three-day party, which is open to everyone. And to then offer everyone attending a 15 percent off sale.

Let’s me see if I understand this correctly. Due to apparently recklessly weak security procedures, consumers that you invited into your stores had their credit card information and identities taken, all because they chose to buy your merchandise. How to make amends? Invite them back to bring their new credit card and buy more stuff, with a 15 percent discount. Isn’t that like Jeffrey Dahmer going to one of his victims that got away and offering him 25 percent off of another meal with him?

Maybe they can launch a major series of radio spots for this event? “Come to the We Ripped You Off And Got Away With It Special Celebration, with 25 percent off all jeans and 30 percent off if you use a credit card. Make sure to bring two forms of ID, though. Just kidding. You no longer have an identity.”

A 15 percent off sale and coupons to encourage upselling? That sounds less like a punishment and more like a promotion.

It’s important for people to try and read the full 44-page settlement or at least peek at our summary of the key settlement points. That’s because TJX makes a lot of generous-sounding moves?such as paying consumers who were wronged, paying them an hourly fee for time spent and making security improvements?but it’s in the details where those offers fall down.

Yes, consumers are being paid, but very little and only in the form of what amounts to limited TJX gift certificates. Some consumers will be getting paid an hourly fee for the time they spent chasing their lost identities, but only $10/hour and there are a healthy list of restrictions.

Yes, the security improvements are going to be documented, but the industry will never know those details. The attorneys in charge of that security oversight indeed could conclude that the security improvements are insufficient, which would kill the deal and, by the way, their $6.5 million fee. Not that that would influence them at all. After all, the plaintiff lawyers are in it to improve security conditions and not to merely make a buck, right?

If TJX was serious about this settlement and their improvements, they would be much more forthright about how they believe the incident began and what their security looked like at the time. If security is the only reason for the secrecy, surely it wouldn’t hurt to get specific about the systems that used to be in place. It’s not difficult to be explicit about what was being done and simply not reveal the information that would still be of value to thieves.

Of course, TJX has always had this bad luck with calendar coincidences. The breach was discovered in mid-December and yet they didn’t announce it until mid-January. Was the one month silence truly needed by law enforcement or was it timed to not impact holiday sales? There’s a good argument that the timing back then was coincidental. Not an airtight argument, but a reasonable argument nonetheless.

This settlement’s announcement date raises the calendar coincidence issue again. This settlement had clearly been in the works for quite some time. Teams of lawyers don’t agree on the wording for 44-page government documents in one or two conference calls.

And yet, this statement was issued at 5:34 PM on the East Coast. On a Friday night. If one wants a story to be buried, that’s the best time and day to announce it. And if that announcement happens to be made after sundown on the eve of Yom Kippur?the holiest day of the year on the Jewish calendar?even better, if the goal is to bury the news.

Coincidence? Twice? Maybe, but I am guessing there might be a lot of atoning due from one major retailer this week.


6 Comments | Read TJX’s Settlement: Marketing Chutzpa At Its Best

  1. Robert Amster Says:

    I have to ask: did the customers whose security was breached agree to those terms or did the attorneys general in charge of the cases?

    Most consumers are not stupid enough to agree to such a settlement. A consumer would know that he/she is being duped into coming back into the store to spend money in it.

    However, if the settlement was accepted by the injured parties, you have to give TJX credit for their chutzpah. It appears that it worked.

  2. Evan Schuman Says:

    Editor’s Note: The answer is technically “neither.” First, this case is entirely distinct from the state Attorney General cases that are still pending. (Actually, those cases are consolidated under Massachusetts, so it’s functioning as one action.) The state AGs have no direct involvement in this case.
    This deal was agreed to by the attorneys representing certain users and TJX. I am strongly assuming that most of the consumers involved were briefed and signed off. Of course, there are millions of consumers involved so it would only be the named consumers who would have had any say.

  3. Ray Dobbs Says:

    You’ll see some very similar “marketing” tactics from VerizonWireless in their “Campbell Class Action Settlement” from 2006 .

    Multiple options offered to the Class. Most involve insiginificant discounts on very high-margin accessories.

    And, on top of it all, their method of submission for these settlement options was so complex, that you ended up spending $50 worth of time to receive a $10 “payoff”.

    Evan – thanks for shining a big light on the games people play. Never ceases to amaze.

  4. Eric Offenberg Says:

    I never really considered how TJX actually timed every communication to work to their advantge.

    My guess is that the gift cards will be sent to customers to arrive 11/19-11/21, right before Black Friday.

    Then a settlement will be announced with the state AGs will be announced Christmas Eve.

  5. Evan Schuman Says:

    Editor’s Note: Good thought, Eric, although I doubt they’ll have the settlement improved in time for Nov. 19. Other than that, yes, that is likely what they would have tried to do.
    As for the AG settlement, that will now prove interesting. All that the AGs will actively pursuing–the last time I checked–was credit card monitoring reimbursement. Given this agreement, they might wait to see if the settlement is approved. If it is, they might just echo it.

  6. Jason Merrick Says:

    It is significant that TJX is once again being secretive about the steps it is taking to secure its network since it was secretive about the breach itself. The real challenge with network security is that every new technology brings both benefits and risks and forethought must be given to those risks preferably before the technology is implemented. While there is some discussion about whether or not the breach at this retailer was wireless, and it is our opinion that it was, it is important to think about network security strategy in a global way instead of a siloed one and wireless security must be part of that strategy, whether or not you have deployed wireless. With the proliferation of wireless, wireless security is a must have not an afterthought, and it need not be an expensive and daunting task to implement.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.