Case Detail

Case Summary

Maxxed Out: TJX Companies and the Largest-Ever Consumer Data Breach

Case Number: 5-313-507, Year Published: 2013

HBS Number: KEL764

Request PreviewBuy

Key Concepts

Information Technology, Information Management, Risk Management, Decision Making, Technology Management, Internet, Payments, Credit Cards, Cyber Risk

Abstract

In November 2005 Fidelity Homestead, a savings bank in Louisiana, began noticing suspicious charges from Mexico and southern California on its customers’ credit cards. More than a year later, an audit revealed peculiarities in the credit card data in the computer systems of TJX Companies, the parent company of more than 2,600 discount fashion and home accessories retail stores in the United States, Canada, and Europe.

The U.S. Secret Service, the U.S. Justice Department, and the Royal Canadian Mounted Police found that hackers had penetrated TJX’s systems in mid-2005, accessing information that dated as far back as 2003. TJX had violated industry security standards by failing to update its in-store wireless networks and by storing credit card numbers and expiration dates without adequate encryption. When TJX announced the intrusion in January 2007, it admitted that hackers had compromised nearly 46 million debit and credit card numbers, the largest-ever data breach in the United States.

Learning Objectives

After analyzing and discussing the case, students should be able to:

  • Understand imbedded operational risks
  • Analyze how operational risk decisions are made in a firm
  • Understand the challenges in the electronic payment transmission process, which relies on each participant in the process to operate best-in-class safety systems to ensure the safety of the entire process
  • Recognize the sophistication of IT security threats

Number of Pages: 8

Extended Case Information

Teaching Areas: Organizational Behavior

Teaching Note Available: Yes

Geographic: United States

Industry: Retail

Organization Name: TJX Companies

Organization Size: Large

Year of Case: 2008