Case Study

On January 17, 2008, TJX Companies,

Inc., a leading retailer in the field of clothing

and home fashions which operates

stores domestically and internationally,

announced that the organization had

experienced an unauthorized intrusion

of its computer systems.1 Customer

information, including credit card, debit

card, and driver’s license numbers,

had been compromised. This intrusion

had been discovered in December

of 2006, and it was thought that data

and information as far back as 2003 had

been accessed and/or stolen. At the

time, approximately 45.6 million credit

card numbers had been stolen. In October

of 2007, the number rose to 94

million accounts.2 This has become the

largest known credit card theft or unauthorized

intrusion in history.

Because of the lax security systems at

TJX, the hackers had an open doorway to the company’s entirecomputer system.

In 2005, hackers used a laptop outside

of one of TJX’s stores in Minnesota and

easily cracked the code to enter into the

WiFi network. Once in, the hackers were

able to access customer databases at

the corporate headquarters in Framingham,

Massachusetts. The hackers gained

access to millions of credit card and debit

card numbers, information on refund

transactions, and customer addresses

and phone numbers. The hackers reportedly

used the stolen information to purchase

over $8 million in merchandise.3

TJX used an outdated WEP (wired equivalent

privacy) to secure its networks. In

2001, hackers were able to break the

code of WEPs, which made TJX highly

vulnerable to an intrusion. (Similar data

breaches have occurred within the past

few years at the firms ChoicePoint and

CardSystems Solutions.) In August of

2007, a Ukrainian man, Maksym Yastremskiy,

was arrested in Turkey as a

potential suspect in the TJX case. According

to police officials, Yastremskiy

is “one of the world’s important and

well-known computer pirates.”4 He led

two other men in the scheme.5

Even though the intrusion was discovered

in December of 2006, the company

did not publicize it until a month later.

Consumers felt that they should have

been notified of the breach once it was

discovered. However, TJX complied with

law enforcement and kept the information

confidential until it was told it could

notify the public. Retail companies such

as TJX that use credit card processing

are required to comply with the Payment

Card Industry Data Security Standard

(PCI DSS). The PCI DSS is a set of requirements

with the purpose of maximizing

the security of credit and debit card

transactions. A majority of firms have not

complied with this standard, as was the

case with TJX Companies.

A number of stakeholders were involved

in this break-in: consumers, who were put

at great risk; banks; TJX Companies (its

shareholders, management, employees,

and other internal parties who did business

with and were invested in the firm);

the credit card company; the law enforcement

and justice systems; the public;

other retail firms; and the media, to name

a few. CEO Carol Meyrowitz took an active

role in informing the public in statements

on the company’s Web sites and

through the media about the company’s

responsibility and obligations to its stakeholders

during and after the investigation.

TJX also contacted various agencies to

help with the investigation. A Web site

and hotline were established to answer

customer questions and concerns.

The intrusion cost TJX approximately

$118 million in after-tax cash charges

and $21 million in future charges. Although

TJX incurred substantial legal,

reimbursement, and improvement

costs, the company’s pre-tax sales

were not negatively affected. Sales during

the second quarter of fiscal year

2008 increased compared to second

quarter sales from fiscal year 2007.6

At the end of 2007, TJX reached a settlement

agreement with six banks and

bankers’ associations in response to a

class action lawsuit against the company.

7 In the spring of 2008, TJX settled

in separate agreements with Visa

($40.9 million with 80% acceptance)

and MasterCard International (a maximum

of $24 million with 90% minimum

acceptance). There was almost full acceptance

of the alternative recovery offers

by eligible MasterCard accounts.8

Note that those issuers who accept the

agreements and terms release and indemnify

TJX” and its acquiring banks on

their claims, the claims of their affiliated

issuers, and those of their sponsored

issuers as MasterCard issuers related

to the intrusion. That includes claims

in putative class actions in federal and

Massachusetts state courts.“9

Affected customers were reimbursed

for costs such as replacing their driver’s

license and other forms of identification

and were offered vouchers at TJX stores

and free monitoring of their credit cards

for three years. Customer discontent was

reportedly expressed after the intrusion;

however, customer loyalty returned,10 as

was evidenced in sales numbers. 4.1 MANAGING CORPORATE SOCIALRESPONSIBILITY

IN THE MARKETPLACE

“Corporate social responsibility” (CSR) involves anorganization’s duty and

obligation to respond to its stakeholders’ and the stockholders’economic,

legal, ethical, and philanthropic concerns and issues.11 Thisdefinition

encompasses both the social concerns of stakeholders and theeconomic

and corporate interests of corporations and their stockholders.Generally,

society cannot function without the economic, social, andphilantropic

benefits that corporations provide. Leaders in corporations whouse

a stakeholder approach commit to serving broader goals, inaddition to

economic and financial interests, of those whom they serve,including the

public.

Managing corporate social responsibility in the marketplace withmultiple

stakeholder interests is not easy. As discussed in Chapter 3,ethics

at the personal and professional levels requires reasoned andprincipled

thinking, as well as creativity and courage. When ethics andsocial responsibility

escalate to the corporate level, where companies must make

decisions that affect governments, competitors, communities,stockholders,

suppliers, distributors, the public, and customers (who are alsoconsumers),

moral issues increase in complexity, as the TJX securitybreach

opening case illustrated. For organizational leaders andprofessionals, the

moral locus of authority involves not only individual consciencebut also

corporate governance and laws, collective values, andconsequences that

affect millions of people locally, regionally, and globally.

In the opening case, the TJX executives had to deal not onlywith

their own customers, but with banks (in a class action suit),credit card

companies, the media, competitors, and a network of suppliersand distributors—

as well as their own reputation. What may have seemed like

a routine technical security problem turned into thelargest-known credit

card theft/unauthorized intrusion in history. Had the CEO notstepped in

and became a responsible spokesperson and decision maker for thecompany,

customers may not have responded in kind.

The basis of corporate social responsibility in the marketplacebegins

with a question: What is the philosophical and ethical contextfrom which

corporate social responsibilty and ethical decisions are made?For example,

not everyone is convinced that businesses should be as concernedabout

ethics and social responsibility as they are about profits. Manybelieve

that ethics and social responsibility are important, but not asimportant as a

corporation’s performance. This classical debate—and seemingdichotomy—

between performance, profitability, and “doing the right thing”continues to

surface not only with regard to corporate social responsibility,but also in political

parties and debates over personal and professional ethics. Theroots of

corporate social responsibility extend to the topic of what a“free-market” is

and how corporations should operate in free markets. Statedanother way,

does the market sufficiently discipline and weed out inefficient“bad apples”

and wrongdoers, thereby saving corporations the costs of havingto support

“soft” ethics programs?

A security breach in a technological world is one of the biggestissues facing companies today. Cyber security is a criticalconsideration for any business but time and time again businessesare faced with the fear of hacking into their customers'information. Review the TJX case in the textbook. What are theethical issues impacting the TJX case? What are the long termeffects and how might this company win back trust?