Case Study: TJ Maxx’s Data Breach

Information technology is considered one of every organization’s most important aspects. The reason is that it can help reduce cost, enhance efficiency and make things easier for everyone around the globe. As IT companies are the sources of valuable information, businesses are continuously under attack by cybercriminals.

This article will look at one example of an obvious failure to secure data assets: the TJX data leak in 2007. It will explain the data breach and how TJX handled the discovery of the breach, including how TJX engaged with the public, consumers, federal regulators, and law enforcement. This article will next go through the cybersecurity practices that TJX had in place at the time of the assault, as well as the key consequences of the data leak.

Overview of the TJX Data Breach

TJX is a large multinational apparel and home goods retailer with stores across the United States, Canada, and Europe under many names. According to Cereola and Cereola (2011), TJX invested heavily in its information systems and relied on them to run its business successfully and efficiently. TJX, on the other hand, acknowledged to the public in 2007 that it had been the victim of a data breach. Over 45 million credit and debit cards were stolen, making it one of the greatest data breaches at the time (Weiss & Solomon, 2016).

TJX Practices at the Time of the Attack

According to the FTC (2008b), TJX had several inadequate and egregious policies at the time of the data breach that directly contributed to the attack. One of these was the excessive storage of customer data for unnecessarily long periods of time. This also violated the Payment Card Industry Data Security Standards (PCI-DSS), which are an attempt by the main credit card providers to self-regulate in order to “establish standards for security policies, technology, and continuous procedures that secure their payment systems against intrusions” (PCI Security Standards Council, 2021, para. 4)

TJX violated several fundamental cybersecurity principles in addition to the one mentioned above. TJX, for example, was using an encryption standard that researchers had previously recognized as insecure, according to Berg et al. (2008).

Effects of the Data Breach on TJX

The FTC ordered TJX to hire a cybersecurity officer, specify “particular administrative, technological, and physical precautions” (Docket C-072 3055, 2008a, p. 4), and certify that their new cybersecurity program was running efficiently each year for the following twenty years. TJX also paid considerable sums to address concerns with credit card companies (almost $41 million to VISA and $24 million to MasterCard) and attorneys general from numerous states to verify their IT systems were safe and pay restitution to impacted consumers for direct harm and credit monitoring (Cereola & Cereola, 2011). TJX’s overall cost for the data breach topped $250 million (Kerber, 2007).


TJX’s data breach in 2007 is no longer even in the top 15 data breaches (Hill & Swinhoe, 2021). When it happened, however, it was a watershed event for organizational cybersecurity. While TJX did everything right in the aftermath of the hack (investigating internally, recruiting outside experts, and alerting the public, law enforcement, and regulatory authorities), such steps should not disguise the company’s lax cybersecurity policies before the intrusion. TJX’s poor cyber hygiene around vital assets (perhaps their crown jewels: customer data), including a lack of a robust incident response capacity and their inability to discover these concerns early on, justified the financial fines they received and the FTC’s judgment against them.