TJX- SECURITY BREACH MGSC 6201-02
INDUSTRY/COMPANY CONTEXT:
TJX Companies, based in Framingham, MA, was a major participant in the discount fashion and retail industry. The TJX brand had presence in the United States as well as in Canada and Europe. In mid-2005, investigators were made aware of serious security breaches experienced in TJX’s credit card system. These breaches were first found at a Marshall’s located in St Paul, MN in which the hackers implemented a “war driving” tactic to steal customer credit card information. This incident resulted in over 46 million debt and credit card numbers being compromised and is considered to be the largest security breach in US history. The security breach at TJX resulted in major members …show more content…

In the article released by McKinsey titled Meeting the Cybersecurity Challenge, there is a focus on using a “business back” approach. In this context, an entity must target the most important business processes rather than focusing on any current technological vulnerabilities. More specifically I would recommend that TJX separate their company credit card information. As the article puts it, “Separating credit card numbers and expiration dates vastly complicates the task.” (p. 5) My personal takeaway from this case is the emphasis of this being a management issue, not just an IT issue. “Companies need to make this a broad management initiative with a mandate from senior leaders in order to protect critical information assets without placing constraints on business innovation and growth.” (p. 28)
CASE SPECIFIC QUESTIONS
1. There is generally a lack of clarity as to who should bear the burden when it comes to data-breach liability contracts between merchants and banks. Many of these cases end up adjudicated or settled. Also, in 2009, the average total cost for a data breach incident was $6.75 million for merchants. TJX reported, in their expenses and reserves account, probable losses of $171.5 million (estimates were as much as $9 billion). In terms of card issuers (financial institutions), they assumed the risk for fraud or any issues with nonpayment. In the case we learn that these issuers usually “wind up footing the bill”