TJX: How Not to Handle a Crisis
Bob Bragdon weighs in on TJX's breach response
By Bob Bragdon, Publisher, CSO
March 01, 2007 — CSO —
As I sat in my office throwing darts at the list of topics I could write about, I glanced out my window and, lo and behold, there was this month's topic: The TJX Cos.
TJX's headquarters is down the street from CSO's offices in Framingham, Mass. Looking at the current PR mess TJX is struggling with, I'm struck by how poorly many leading businesses deal with a crisis situation. This TJX situation will, no doubt, become a great case study in how not to respond.
For those of you who may have missed the media frenzy around this, TJX is the parent company of a number of major retailers, including T.J. Maxx, Marshalls, HomeGoods, Bob's Stores and A.J. Wright. According to the company's initial statement, TJX in mid-December discovered an unauthorized intrusion into the computer systems that process and store information related to its customer transactions. It appears that millions of records could be compromised. And further investigation has led the company to believe that the intrusions continued from May 2006 to December 2006. Then the company, apparently at the behest of law enforcement, kept the discovery under wraps until mid-January while it investigated the theft and strengthened its security. From where I sit, that was a good move because it gave the company time to secure its systems and law enforcement time to investigate. But to many in the public, it looks like a retailer sitting on bad PR until after the important holiday season.
Where the process broke down is the way the company responded to the public's concerns—and it's feeling the fallout. TJX went public through a statement posted on its website. Executives met questions with curt "No comments." When the weight of the media coverage really began to hit, TJX took out full-page ads in newspapers explaining what had happened and then posted a video of Chairman Ben Cammarata on its website.
Maybe I missed it, but I have yet to see a live person from TJX answer questions. When asked if it would offer credit-monitoring services to those customers who were affected, TJX refused, claiming it was not necessary. The result here is that TJX has come through this process sounding like an organization that has something to hide.
The results so far: A number of credit card fraud incidents resulting from stolen customer data. Three pending class-action lawsuits from consumers and from banks seeking reimbursement for the cost of issuing new credit cards to their customers. A modest (not huge) hit to TJX's stock price.
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Advanced evasion techniques emerge
Organized cybercrime revealed
Inside the global hacker service economy
Anatomy of a DDoS extortion attack
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- Introduction to VMware vCenter Site Recovery Manager 5
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
