Partners’ Blog
Directorship
We wrote the following article which appeared in Directorship magazine, a publication that circulates among the 11,000 directors of U.S. public companies:
Corporate Reputation in the Age of Media Chaos
About This Blog
Because we've had extensive experience in major national newsrooms we view news developments in a somewhat different manner than many communications consultants; we see the news through the same lens as working journalists.
Our blog provides analysis of how recent news developments were handled or mishandled by the principal actors and their advisers. Who handled the press attention well? Who did not? How might they have fared better?
We will bestow the M.E. Communications Partners WMD (Worst Media Debacle) award in timely fashion to those we regard as the worst performers.
TJX and the biggest heist ever
What in the world is up with TJX? The Framingham, Mass.-based retailer seems to be the victim of what one computer security firm executive calls the 'perfect crime.' And it gets worse as TJX grudgingly dribbles out more information.
No one knows exactly how many of TJX's customer identities have been stolen. The company says the number is in the millions, at least 45.7 million but it could be more. Whatever the number security experts think it's the biggest security breach ever.
How did this happen to a successful company with $17billion in sales and 120,000 employees manning 2500 retail stores in the U.S., Canada, Ireland and the U.K. retailing under the T.J. Maxx, Marshall's, Bob's Stores and other brand names?
It appears that hackers started to drain what the company naively thought was secure information about customer transactions as far back as July 2005, then again from mid-May of last year to January of this year. Some of the customer information stolen may have dated to transactions that occurred as far back as January 2003 according to an SEC filing. Apparently no customer information was stolen after December 18, 2006, that's when the company first found that its computer security had been compromised -- at least 17 months after the initial breach. "These guys perpetrated a perfect crime", one computer security expert told The Boston Globe.
TWO WEEKS PASS BEFORE CUSTOMERS LEARN THE NEWS
The next day two security companies were brought in to figure out what was going on and by December 21 they had established that a hacker was active in the company's system. On December 27 the company knew customer data had been stolen. But it wasn't until January 13 that TJX went public, more than two weeks after it knew that its customers were at risk and only after journalists had gotten on their case. The most recent statement issued in late February by CEO Carol Meyrowitz contains her sincere apology but doesn't admit to any company responsibility.
And TJX has been slow to reach out to the millions of customers whose credit information may have been compromised. It did say in the SEC filing that 455,000 customers whose drivers license information may have been compromised will receive a letter from the company. No word on the other 45 million.
Some customers have complained that they first heard from their credit card company and not from TJX that their information might have been hacked. Presumably the company knows who its customers are so why not a letter to every one?
TJX DIDN'T MEET MASTERCARD'S STANDARDS
Maybe a clue is in the statement last Feb 21 by MasterCard International Inc. that at the time of the breach TJX did not meet the security standards set by the card company. A TJX spokeswoman declined to respond to MasterCard's charge. Earlier The Wall Street Journal reported that TJX was not compliant with the security standards the payment card industry requires of anyone who handles card numbers electronically.TJX faces an investigation by the Federal Trade Commission and perhaps other state government agencies, scores of law suits including one by the Arkansas Carpenters Pension Fund that wants access to all records showing how TJX handled data security.
In fairness only about 40% of companies that handle credit cards are in compliance but it boggles the mind that a company with sales of more than $1Billion a month would have failed to comply.
Here's our thought on this one: When a company gets into trouble the remedy begins with disclosure, not stonewalling which it appears TJX has adopted as its strategy. CEO Meyrowitz, whose recent compensation was $8.5M, will regret she wasn't more forthcoming the day she testifies before a Congressional committee.
If only she had complied with her company's code of ethics for executives one of which says, "Provide constituents with information that is accurate, complete, objective, relevant, timely and understandable."
Constituents? Guess that includes customers.
No one knows exactly how many of TJX's customer identities have been stolen. The company says the number is in the millions, at least 45.7 million but it could be more. Whatever the number security experts think it's the biggest security breach ever.
How did this happen to a successful company with $17billion in sales and 120,000 employees manning 2500 retail stores in the U.S., Canada, Ireland and the U.K. retailing under the T.J. Maxx, Marshall's, Bob's Stores and other brand names?
It appears that hackers started to drain what the company naively thought was secure information about customer transactions as far back as July 2005, then again from mid-May of last year to January of this year. Some of the customer information stolen may have dated to transactions that occurred as far back as January 2003 according to an SEC filing. Apparently no customer information was stolen after December 18, 2006, that's when the company first found that its computer security had been compromised -- at least 17 months after the initial breach. "These guys perpetrated a perfect crime", one computer security expert told The Boston Globe.
TWO WEEKS PASS BEFORE CUSTOMERS LEARN THE NEWS
The next day two security companies were brought in to figure out what was going on and by December 21 they had established that a hacker was active in the company's system. On December 27 the company knew customer data had been stolen. But it wasn't until January 13 that TJX went public, more than two weeks after it knew that its customers were at risk and only after journalists had gotten on their case. The most recent statement issued in late February by CEO Carol Meyrowitz contains her sincere apology but doesn't admit to any company responsibility.
And TJX has been slow to reach out to the millions of customers whose credit information may have been compromised. It did say in the SEC filing that 455,000 customers whose drivers license information may have been compromised will receive a letter from the company. No word on the other 45 million.
Some customers have complained that they first heard from their credit card company and not from TJX that their information might have been hacked. Presumably the company knows who its customers are so why not a letter to every one?
TJX DIDN'T MEET MASTERCARD'S STANDARDS
Maybe a clue is in the statement last Feb 21 by MasterCard International Inc. that at the time of the breach TJX did not meet the security standards set by the card company. A TJX spokeswoman declined to respond to MasterCard's charge. Earlier The Wall Street Journal reported that TJX was not compliant with the security standards the payment card industry requires of anyone who handles card numbers electronically.TJX faces an investigation by the Federal Trade Commission and perhaps other state government agencies, scores of law suits including one by the Arkansas Carpenters Pension Fund that wants access to all records showing how TJX handled data security.
In fairness only about 40% of companies that handle credit cards are in compliance but it boggles the mind that a company with sales of more than $1Billion a month would have failed to comply.
Here's our thought on this one: When a company gets into trouble the remedy begins with disclosure, not stonewalling which it appears TJX has adopted as its strategy. CEO Meyrowitz, whose recent compensation was $8.5M, will regret she wasn't more forthcoming the day she testifies before a Congressional committee.
If only she had complied with her company's code of ethics for executives one of which says, "Provide constituents with information that is accurate, complete, objective, relevant, timely and understandable."
Constituents? Guess that includes customers.
posted by EdFouhy at
3/30/2007 08:00:00 PM
0 Comments:
Post a Comment
« Home