TJX Offers One-Day Sale To Make Up For Massive Data Breach

from the how-generous dept

Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people’s credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores’ WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they’d gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn’t-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.

Filed Under: , ,
Companies: tjx

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “TJX Offers One-Day Sale To Make Up For Massive Data Breach”

Subscribe: RSS Leave a comment
Freedom says:

Wake up to the real world...

Wake up to the real world. I would bet that more than 95% of businesses are setup in this sort of way. IT is a balancing act with limited resources. It is also an industry that literally has no standards and the core elements change on a yearly basis. Why in a perfect world every company would invest the necessary dollars, there are many that don’t and won’t do it. This is an especially bad example, but most companies are setup such that once you get past the front door security, you have a lot of access.

With that said, not-encrypting the CC info is really bad. Even if the network was setup without a lot of security concerns, you’d think someone would have thought a bit on that one!


Mr. Kerry D Robertson says:

Re: Wake up to the real world...

Agreed! Until companies realize they need to beef up their IT departments, or flat out hire network security professionals, this type of thing will continue to happen.

Most buildings that house companies have a security system and human guards.

As more of companies and their assets are housed in cyberspace, does it not make sense to apply some of the same rules?

Oh well. Try explaining that to a boss who thinks of a train ride when you talk to him about SSL tunneling.

JT says:

Re: FTC needs to change

Reading a bit from your article and comments… It sound like it’s OK to run your business poorly from an IT/security standpoint and claim ignorance when cornered. Your comments sound like the kid on the playground pointing their finger saying “look at all these companies, they do it too”. Well guess what? They’re not the ones that had it happen to them.

Part of the problem is that people will not conform or put forth ANY effort unless they’re forced to. It’s too bad we have to have examples in society but without them we have crime. It’s no different with business, if there’s not examples, they continue to do what’s cheap rather than what they should do. Hopefully this makes other companies on their scale to take a look at security and determine if they’re at risk for a breach and some lofty payback if it happens.

I’m a bit sickened by you calling them “victims”. Companies do all they can to cut corners and they need to be held accountable when they screw up, especially on a scale like this.

MMXG says:


My home Wireless-N network is encrypted with WPA2-AES/TKIP with a long, but memorable, pass-phrase. Router also checks MAC Addresses and requires wireless devices to be registered on the router before access is allowed. Router settings took about 2 minutes to set up, computers collectively about 10 minutes to get connected right.

I have only ever worked in Retail and I have never taken any post-secondary IT courses. “Sheer incompetence” is an understatement, and TJX should still get that $41-million fine.

Also, I believe “hackers” is the wrong term, they were “crackers”. Hackers have pride, they want a challenge, and usually they do it just to prove they can, not to steal information for personal gain. Not unless that gain is a monthly paycheck that is. I’m curious to know if TJX’ network was infected with that Downadup/Confliker worm, and if they have some less incompetent employees to make sure that’s handled properly.

Retailer Joe says:

Encrypting CC info

What scary about the encryption of CC info is that the banks we work with (I work at a retailer) _cannot_ support encryption on their links…

The PCI standards require us to keep the data encrypted while it resides on our system (or is being sent over our network), but as soon as it goes on the link to the bank, it’s wide open (note that the PIN is always encrypted, but the card number and expiration date are wide open).

We’ve hit the bank a couple of times about encrypting that data flow, but they claim their systems can’t handle it!

Nelson Cruz says:

Here in Portugal we have a system that issues “virtual credit cards” that expire after 1 month and have a limit set by the user. Its called mbnet (

For every single online transaction we can use a different card number, that even if it falls in the wrong hands, can’t be of much use to them.

Maybe someone in the US should copy this. 🙂

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...