Will TJ Maxx Lose 77% Of Its Customers Over Data Breach?

from the somehow,-we-doubt-it dept

Fri, Apr 13th 2007 3:27am — Mike Masnick

It's easy to get people to say what you want them to say concerning how they would act in a specific situation, but try watching how they actually act and you'll realize that actions definitely do speak a lot louder than words. Some researchers are reporting that approximately 77% of people say they would stop shopping at stores that suffer data breaches. Interesting timing, given the huge data breach by TJX, owners of stores chains like TJ Maxx and Marshalls. While it is likely that the publicity around this story (including the fact that some of the data has already been used in various scams) will have some people thinking twice about shopping at TJX stores -- somehow we doubt they're going to lose anywhere near 77% of their business. It's easy to say you won't shop there, but when it comes time to buy the kids cheap clothes for the new school year, people will go right back to their old habits. Perhaps that's why companies don't seem to take these data breaches very seriously. Despite lots of anger, it doesn't seem like people actually follow through. Another study that came out today tries to quantify just how costly data breaches are, and finds that it tends to cost companies from $90 to $305 per lost record, suggesting TJX's breach will cost it $1.35 billion -- however, many people say that's probably a lot higher than what it will turn out to be in reality. TJX will get a slap on the wrist, people will keep shopping there and the company will probably be just as likely to lose your data in the future as it was in the past.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Infested Templar, 13 Apr 2007 @ 3:52am

Increase the penalties for repeated breaches
What you need is an exponential scale for the fines that the companies receive, the first might be just a wake-up call but when the second is 2x as much, then 4x, then 8x, then 16x they might just start to wake up to it. Heck you could even go at a higher multiplier than 2, say 3 or 4, that would have them scrambling to fix their procedures.
[ link to this | view in chronology ]
dorpus, 13 Apr 2007 @ 5:03am

Who the hell shops there anyway?
It's a lower class store for people whose credit cards are constantly having funny problems.
[ link to this | view in chronology ]
- EDDIE, 25 May 2007 @ 8:45pm
  
  Re: Who the hell shops there anyway?
  YOUR MAMA SHOPS @TJ MAXX
  [ link to this | view in chronology ]
- Anonymous Coward, 20 Jul 2007 @ 1:04pm
  
  Re: Who the hell shops there anyway?
  Who shops there,you ask??? People who aren't willing to pay more money for the same products in department stores! Lower class or not, it makes no difference,
  Wouldn't you rather keep your money in your pocket???
  [ link to this | view in chronology ]
- tmv, 21 Jan 2008 @ 2:03pm
  
  Re: Who the hell shops there anyway?
  Seriously? I agree that the store should be held accountable but let's not dog the shoppers! I shop there and most of my "stay at home mom" crowd shops there and we are not "lower class" and do not have credit card problems. We all live in upper, upper class neighborhoods. My husband makes over 200,000 a year. In all actuallity, it is shown that people who know how to save money also spend money wisely and that is shopping in stores like TJ Maxx. Do your marketing research. That is why these credit card numbers are so lucrative for someone. I do shop at Nordstrom's and I also shop at TJ Maxx and places like Old Navy and Target. We shop smart!
  [ link to this | view in chronology ]
arban, 13 Apr 2007 @ 5:09am

Two options
Don't shop at TJX ... or
Continue shopping a TJX but only deal in cash.
[ link to this | view in chronology ]
comboman, 13 Apr 2007 @ 5:33am

Does lightning strike twice?
I don't recall a company with a data breach having another one later. Most companies learn their lesson from a data breach and improve their security. A company that hasn't had a breach yet is probably just lucky.
[ link to this | view in chronology ]
- The Swiss Cheese Monster, 13 Apr 2007 @ 5:42am
  
  Re: Does lightning strike twice?
  You don't come here often do you?
  [ link to this | view in chronology ]
Jim Harper, 13 Apr 2007 @ 5:39am

But data breach doesn't matter that much . . .
Of course, data breaches are not the preferred course of events, but they also aren't very consequential. The average person, victim of the average data breach, suffers essentially no harm whatsoever. In the more serious breach, the average individual "victim" suffers an increased risk of identity fraud by some extremely small percentage. There are breaches of credit card data where the individual, who is not liable for misuse of the card data, stands to suffer no losses at all.

So, again, breaches aren't preferrable - everyone is against them happening - but too much data security could have greater (well hidden) costs than the current status quo of not-enough.

Draconian fines for data breaches? I don't think so. Simple negligence liability for the consequences of a failure to secure data is enough. Along with (probably contractual) liability to the credit card issuers and/or associations, of course.
[ link to this | view in chronology ]
k7, 13 Apr 2007 @ 6:20am

cash
I was told that my card had been shut off while trying to pay for a meal when I was living out of state. It was turned off because of this breach. All of my expenses were being paid with that account; my bank didn't have any clue who was compromised only that my card should be shut off. I was furious. How am I supposed to know what action(s) to change, if I don't know who was compromised? It was a far cry from any proper disclosure for sure (SB1386, etc.).

Long story short, I was very inconvenienced by their incompetence, and was more put off by their stalling, understating the damage, and now pointing the finger to "failed encryption" as I read in one story. What a pile. I will not be shopping at TJ Maxx in the future, and I never really shopped at TJX's other stores. If for any reason I had to go there, I would pay cash. They have lost my business.

Do fines for companies do any good? no. The big ones couldn't care less. That is what insurance is for. What they fear the most is loss of brand, loss of trust. That is what takes a long time to earn and can be lost very quickly, often times never fully restored if at all.

Does "lightning" strike twice? you bet it does. In fact it generally is striking over and over, but many places have no clue that they are being compromised. Most companies believe that if they are not aware of a security breach, then it obviously has not happened. I replace all of my credit cards once a year.
[ link to this | view in chronology ]
ElCuervo, 13 Apr 2007 @ 7:05am

Lightning strikes
Not only does real lightning strike over and over in the same places as proven by scientists in New Mexico, so does the figurative type. Can you say Veteran's Administration?
[ link to this | view in chronology ]
Overcast, 13 Apr 2007 @ 7:10am

It's easy to say you won't shop there, but when it comes time to buy the kids cheap clothes for the new school year, people will go right back to their old habits

Cheap is relative...

If you consider a risk of stolen credit card info, it can, indeed, be cheaper to go elsewhere.

I'm glad I read this before clothes shopping this weekend - that was actually my plan. However; I use cash 90% of the time. Pretty impossible to get a credit card number from me in any event.

But with like 10 different places to get clothes, why go anywhere that might be a risk?
[ link to this | view in chronology ]
James, 13 Apr 2007 @ 7:25am

Ignorance
Companies that do this are ignorant and in error, but companies that do it repeatedly are ignorant.

As for shopping there w/a cc, give me a break. A cc is one of the BEST ways to shop. You get better management of your $$ (well if you know how to do this) and zero responsibility for bogus charges.

Yes, I'm aware there are those who don't check their receipts against their credit card statement,... those people are ignorant.
[ link to this | view in chronology ]
Dean, 13 Apr 2007 @ 7:53am

You goofed -- so pay up
I too spent way too much time activating my new card (cancelling old pre authroized charges, etc), Quicken, unable to access my account through the web, etc.

When I phoned the credit card and politely but firmly complained, they gave me a $250 credit.

Just a thought -- 1.4Million cards x $250....
[ link to this | view in chronology ]
Dean, 13 Apr 2007 @ 7:54am

You goofed -- so pay up
I too spent way too much time activating my new card (cancelling old pre authroized charges, etc), Quicken, unable to access my account through the web, etc.

When I phoned the credit card and politely but firmly complained, they gave me a $250 credit.

Just a thought -- 1.4Million cards x $250....
[ link to this | view in chronology ]
Me again, 13 Apr 2007 @ 9:17am

TJMAX
I will never shop somewhere that does not protect my information. It is the stores responsibility to take whatever means available. I don't know how this was stolen but if it was due to negligence, they should be fined 1000.00 per record.
[ link to this | view in chronology ]
GregD, 13 Apr 2007 @ 9:49am

Credit Cards?
The easiest, simplest, solution to the problem is just to simply not use credit cards. Those that think they have it "under control" ("Oh, I only use them for the points, and pay them off every month") are fooling themselves. Credit Card companies are multi-billion dollar global entities, you really think *you* are gonna put one over on *them*?

The only "credit" type card I have is the one the company I work for has issued me for company expenses - and even then, it's a charge card, not a revolving credit card.
[ link to this | view in chronology ]
- James, 13 Apr 2007 @ 11:03am
  
  Re: Credit Cards?
  You're wrong. An adult of average intelligence who is persistent in managing their budget and expenses can benefit from credit cards. Sadly, most fall into your category they can't be that persistent so they either pay interest/fees or stay away from credit cards entirely.
  
  I stress persistent because paying interest or card fees is NOT intelligent. But for those of us who know how to work within the framework of the card recieved they can be a benefit.
  [ link to this | view in chronology ]
  - GregD, 14 Apr 2007 @ 12:06am
    
    Re: Re: Credit Cards?
    Yes, if you're persistent, you can. Unfortunately, life happens, and you always have the unexpected medical bill, auto repair, emergency trip out of town, and it's real easy to let the credit card carry a balance.
    [ link to this | view in chronology ]
Fred Flint, 13 Apr 2007 @ 10:37am

Let the Market Sort Them Out
The best thing that could happen here is that TJ Maxx loses 100 percent of their customers due to this security breach.

Maybe, finally, at long last, senior management at all of these corporations will finally decide to take start taking I.T. security seriously.

Unfortunately, I doubt that will happen.

People who make it to the top of the corporate management level are not very knowledgeable about much of anything or even, shall I say it... very smart.
[ link to this | view in chronology ]
Anonymous Coward, 13 Apr 2007 @ 2:27pm

The real solution is quite simple, but it will never be implemented: If your company loses credit card data, you can't take credit cards anymore.

Simple, right? Those that are unwilling to protect the data, should not be able to collect the data. Start with a three month suspension and work your way up for additional violations. Big box retailers have to be able to take credit cards. They would face the prospect of going out of business or being at a serious competitive disadvantage if their credit card data was breached repeatedly...

Oh, wait, Visa wouldn't want that, MasterCard wouldn't want that, the merchants wouldn't want that. Expect consumers to keep on paying the cost of this corporate recklessness.
[ link to this | view in chronology ]
Bjorn, Iceland (DalPay), 7 May 2007 @ 10:47pm

Observation re: But data breach doesn't matter tha
As mentioned in the in-depth WSJ article last week (May 4, 2007) [ http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.htm l ] the stolen credit and debit card numbers have been circulating in the hacker underground for a long period, and have been used to perpetrate millions of dollars worth of fraud against merchants.

While what Jim Harper says that, "the average person, victim of the average data breach, suffers essentially no harm whatsoever," is true because there is currently risk acceptance by the banks for card present fraud, this ignores the real victims of this kind of theft - completely innocent online merchants.

They are the true victims of breaches such as these because unlike card holders or brick and mortar stores, online merchants are entirely liable for card not present transactions even if they are not at fault.

Without help to protect themselves, merchants are completely vulnerable, and liable.

As my colleague Thorsten says, the problem is that the costs of such breaches to online merchants is an externality to the card associations such as Visa and MasterCard, to the issuing banks and payment gateways.

While a move such as that mentioned in March by Rep. Barney Frank chairman of the House Financial Services Committee, to make a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards, sounds sensible on the surface, it is not if it perpetuates this unfair treatment of online merchants, and other inequitable aspects of the current status quo in processing.

It is clearly far better then if liability is decided in the courts, as is currently the case.

This also will allow for future changes in risk acceptance as well opposed to the status quo, which is inequitable enough as is, let alone with the U.S. Congress setting it into stone with flawed liability legislation.
[ link to this | view in chronology ]
ELVEDIN, 25 May 2007 @ 8:49pm

T J MAXX
I LOVE T J MAX STORE I VISIT EVERY SINGLE DAY THERE SOME TIMES EVEN 3 TIMES A DAY I LOVE THAT PLACE AND I DON'T THINK THAT THEY WILL LOOSE A CUSTOMERS THEY WILL EVEN GET STRONGER AND BETTER BECAUSE THEY ARE SELLING ORGINAL STUFF AND ITEMS NOTHING IT IS NOT FAKE EVERYTHING IS REAL NAMES AND MARKS
[ link to this | view in chronology ]
Anon, 9 Apr 2008 @ 2:01pm

asdf
Business is up at T.J. Maxx!
[ link to this | view in chronology ]