Will TJ Maxx Lose 77% Of Its Customers Over Data Breach?

from the somehow,-we-doubt-it dept

It’s easy to get people to say what you want them to say concerning how they would act in a specific situation, but try watching how they actually act and you’ll realize that actions definitely do speak a lot louder than words. Some researchers are reporting that approximately 77% of people say they would stop shopping at stores that suffer data breaches. Interesting timing, given the huge data breach by TJX, owners of stores chains like TJ Maxx and Marshalls. While it is likely that the publicity around this story (including the fact that some of the data has already been used in various scams) will have some people thinking twice about shopping at TJX stores — somehow we doubt they’re going to lose anywhere near 77% of their business. It’s easy to say you won’t shop there, but when it comes time to buy the kids cheap clothes for the new school year, people will go right back to their old habits. Perhaps that’s why companies don’t seem to take these data breaches very seriously. Despite lots of anger, it doesn’t seem like people actually follow through. Another study that came out today tries to quantify just how costly data breaches are, and finds that it tends to cost companies from $90 to $305 per lost record, suggesting TJX’s breach will cost it $1.35 billion — however, many people say that’s probably a lot higher than what it will turn out to be in reality. TJX will get a slap on the wrist, people will keep shopping there and the company will probably be just as likely to lose your data in the future as it was in the past.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Will TJ Maxx Lose 77% Of Its Customers Over Data Breach?”

Subscribe: RSS Leave a comment
Infested Templar says:

Increase the penalties for repeated breaches

What you need is an exponential scale for the fines that the companies receive, the first might be just a wake-up call but when the second is 2x as much, then 4x, then 8x, then 16x they might just start to wake up to it. Heck you could even go at a higher multiplier than 2, say 3 or 4, that would have them scrambling to fix their procedures.

tmv says:

Re: Who the hell shops there anyway?

Seriously? I agree that the store should be held accountable but let’s not dog the shoppers! I shop there and most of my “stay at home mom” crowd shops there and we are not “lower class” and do not have credit card problems. We all live in upper, upper class neighborhoods. My husband makes over 200,000 a year. In all actuallity, it is shown that people who know how to save money also spend money wisely and that is shopping in stores like TJ Maxx. Do your marketing research. That is why these credit card numbers are so lucrative for someone. I do shop at Nordstrom’s and I also shop at TJ Maxx and places like Old Navy and Target. We shop smart!

Jim Harper (user link) says:

But data breach doesn't matter that much . . .

Of course, data breaches are not the preferred course of events, but they also aren’t very consequential. The average person, victim of the average data breach, suffers essentially no harm whatsoever. In the more serious breach, the average individual “victim” suffers an increased risk of identity fraud by some extremely small percentage. There are breaches of credit card data where the individual, who is not liable for misuse of the card data, stands to suffer no losses at all.

So, again, breaches aren’t preferrable – everyone is against them happening – but too much data security could have greater (well hidden) costs than the current status quo of not-enough.

Draconian fines for data breaches? I don’t think so. Simple negligence liability for the consequences of a failure to secure data is enough. Along with (probably contractual) liability to the credit card issuers and/or associations, of course.

k7 says:


I was told that my card had been shut off while trying to pay for a meal when I was living out of state. It was turned off because of this breach. All of my expenses were being paid with that account; my bank didn’t have any clue who was compromised only that my card should be shut off. I was furious. How am I supposed to know what action(s) to change, if I don’t know who was compromised? It was a far cry from any proper disclosure for sure (SB1386, etc.).

Long story short, I was very inconvenienced by their incompetence, and was more put off by their stalling, understating the damage, and now pointing the finger to “failed encryption” as I read in one story. What a pile. I will not be shopping at TJ Maxx in the future, and I never really shopped at TJX’s other stores. If for any reason I had to go there, I would pay cash. They have lost my business.

Do fines for companies do any good? no. The big ones couldn’t care less. That is what insurance is for. What they fear the most is loss of brand, loss of trust. That is what takes a long time to earn and can be lost very quickly, often times never fully restored if at all.

Does “lightning” strike twice? you bet it does. In fact it generally is striking over and over, but many places have no clue that they are being compromised. Most companies believe that if they are not aware of a security breach, then it obviously has not happened. I replace all of my credit cards once a year.

Overcast says:

It’s easy to say you won’t shop there, but when it comes time to buy the kids cheap clothes for the new school year, people will go right back to their old habits

Cheap is relative…

If you consider a risk of stolen credit card info, it can, indeed, be cheaper to go elsewhere.

I’m glad I read this before clothes shopping this weekend – that was actually my plan. However; I use cash 90% of the time. Pretty impossible to get a credit card number from me in any event.

But with like 10 different places to get clothes, why go anywhere that might be a risk?

James says:


Companies that do this are ignorant and in error, but companies that do it repeatedly are ignorant.

As for shopping there w/a cc, give me a break. A cc is one of the BEST ways to shop. You get better management of your $$ (well if you know how to do this) and zero responsibility for bogus charges.

Yes, I’m aware there are those who don’t check their receipts against their credit card statement,… those people are ignorant.

GregD (user link) says:

Credit Cards?

The easiest, simplest, solution to the problem is just to simply not use credit cards. Those that think they have it “under control” (“Oh, I only use them for the points, and pay them off every month”) are fooling themselves. Credit Card companies are multi-billion dollar global entities, you really think *you* are gonna put one over on *them*?

The only “credit” type card I have is the one the company I work for has issued me for company expenses – and even then, it’s a charge card, not a revolving credit card.

James says:

Re: Credit Cards?

You’re wrong. An adult of average intelligence who is persistent in managing their budget and expenses can benefit from credit cards. Sadly, most fall into your category they can’t be that persistent so they either pay interest/fees or stay away from credit cards entirely.

I stress persistent because paying interest or card fees is NOT intelligent. But for those of us who know how to work within the framework of the card recieved they can be a benefit.

Fred Flint (user link) says:

Let the Market Sort Them Out

The best thing that could happen here is that TJ Maxx loses 100 percent of their customers due to this security breach.

Maybe, finally, at long last, senior management at all of these corporations will finally decide to take start taking I.T. security seriously.

Unfortunately, I doubt that will happen.

People who make it to the top of the corporate management level are not very knowledgeable about much of anything or even, shall I say it… very smart.

Anonymous Coward says:

The real solution is quite simple, but it will never be implemented: If your company loses credit card data, you can’t take credit cards anymore.

Simple, right? Those that are unwilling to protect the data, should not be able to collect the data. Start with a three month suspension and work your way up for additional violations. Big box retailers have to be able to take credit cards. They would face the prospect of going out of business or being at a serious competitive disadvantage if their credit card data was breached repeatedly…

Oh, wait, Visa wouldn’t want that, MasterCard wouldn’t want that, the merchants wouldn’t want that. Expect consumers to keep on paying the cost of this corporate recklessness.

Bjorn, Iceland (DalPay) (user link) says:

Observation re: But data breach doesn't matter tha

As mentioned in the in-depth WSJ article last week (May 4, 2007) [ http://online.wsj.com/article_email/article_print/SB117824446226991797-lMyQjAxMDE3NzA4NDIwNDQ0Wj.html ] the stolen credit and debit card numbers have been circulating in the hacker underground for a long period, and have been used to perpetrate millions of dollars worth of fraud against merchants.

While what Jim Harper says that, “the average person, victim of the average data breach, suffers essentially no harm whatsoever,” is true because there is currently risk acceptance by the banks for card present fraud, this ignores the real victims of this kind of theft – completely innocent online merchants.

They are the true victims of breaches such as these because unlike card holders or brick and mortar stores, online merchants are entirely liable for card not present transactions even if they are not at fault.

Without help to protect themselves, merchants are completely vulnerable, and liable.

As my colleague Thorsten says, the problem is that the costs of such breaches to online merchants is an externality to the card associations such as Visa and MasterCard, to the issuing banks and payment gateways.

While a move such as that mentioned in March by Rep. Barney Frank chairman of the House Financial Services Committee, to make a company responsible for allowing a breach to bear the costs of notifying customers and reissuing cards, sounds sensible on the surface, it is not if it perpetuates this unfair treatment of online merchants, and other inequitable aspects of the current status quo in processing.

It is clearly far better then if liability is decided in the courts, as is currently the case.

This also will allow for future changes in risk acceptance as well opposed to the status quo, which is inequitable enough as is, let alone with the U.S. Congress setting it into stone with flawed liability legislation.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...