• United States



by Bob Bragdon, Publisher, CSO

TJX: How Not to Handle a Crisis

Mar 01, 20073 mins
CybercrimeIT LeadershipNetwork Security

Bob Bragdon weighs in on TJX's breach response

As I sat in my office throwing darts at the list of topics I could write about, I glanced out my window and, lo and behold, there was this month’s topic: The TJX Cos.

TJX’s headquarters is down the street from CSO’s offices in Framingham, Mass. Looking at the current PR mess TJX is struggling with, I’m struck by how poorly many leading businesses deal with a crisis situation. This TJX situation will, no doubt, become a great case study in how not to respond.

For those of you who may have missed the media frenzy around this, TJX is the parent company of a number of major retailers, including T.J. Maxx, Marshalls, HomeGoods, Bob’s Stores and A.J. Wright. According to the company’s initial statement, TJX in mid-December discovered an unauthorized intrusion into the computer systems that process and store information related to its customer transactions. It appears that millions of records could be compromised. And further investigation has led the company to believe that the intrusions continued from May 2006 to December 2006. Then the company, apparently at the behest of law enforcement, kept the discovery under wraps until mid-January while it investigated the theft and strengthened its security. From where I sit, that was a good move because it gave the company time to secure its systems and law enforcement time to investigate. But to many in the public, it looks like a retailer sitting on bad PR until after the important holiday season.

Where the process broke down is the way the company responded to the public’s concerns—and it’s feeling the fallout. TJX went public through a statement posted on its website. Executives met questions with curt “No comments.” When the weight of the media coverage really began to hit, TJX took out full-page ads in newspapers explaining what had happened and then posted a video of Chairman Ben Cammarata on its website.

Maybe I missed it, but I have yet to see a live person from TJX answer questions. When asked if it would offer credit-monitoring services to those customers who were affected, TJX refused, claiming it was not necessary. The result here is that TJX has come through this process sounding like an organization that has something to hide.

The results so far: A number of credit card fraud incidents resulting from stolen customer data. Three pending class-action lawsuits from consumers and from banks seeking reimbursement for the cost of issuing new credit cards to their customers. A modest (not huge) hit to TJX’s stock price.

And notably, in the first days of early February, there were still trucks from various broadcast networks sitting outside the local Marshalls store because they couldn’t get their vans on the property of TJX headquarters to do their live updates.

There are lots of lessons to learn here and more to come as this story continues to unfold. The most important: TJX’s failure to get out in front of the problem and manage the public communication more effectively has allowed others to define the issue for them.

In a crisis you can never let that happen. Every business should have a contingency plan in place that addresses communications strategies for when something goes wrong. Remember that no security program is perfect, and being able to effectively communicate in a crisis, both internally and externally, can play a significant role in determining how much damage is done to your business.

–Bob Bragdon, publisher