Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach

Abstract

In November 2005 Fidelity Homestead, a savings bank in Louisiana, began noticing suspicious charges from Mexico and southern California on its customers' credit cards. More than a year later, an audit revealed peculiarities in the credit card data in the computer systems of TJX Companies, the parent company of more than 2,600 discount fashion and home accessories retail stores in the United States, Canada, and Europe.The U.S. Secret Service, the U.S. Justice Department, and the Royal Canadian Mounted Police found that hackers had penetrated TJX's systems in mid-2005, accessing information that dated as far back as 2003. TJX had violated industry security standards by failing to update its in-store wireless networks and by storing credit card numbers and expiration dates without adequate encryption. When TJX announced the intrusion in January 2007, it admitted that hackers had compromised nearly 46 million debit and credit card numbers, the largest-ever data breach in the United States.After analyzing and discussing the case, students should be able to: Understand imbedded operational risks Analyze how operational risk decisions are made in a firm Understand the challenges in the electronic payment transmission process, which relies on each participant in the process to operate best-in-class safety systems to ensure the safety of the entire process Recognize the sophistication of IT security threats