January 22, 2007
Crisis Counselors Question TJX Response to Breach
It’s a really bad day when you discover that someone has hacked into your computer system and gotten hold of personal financial information of customers in your store.
That one bad day can get a whole lot worse, say crisis communication consultants, if a company fails to take the necessary steps to protect and communicate with its customers.
A report in The Boston Globe recalls how Richard Walega, who believes he is a victim of the TJX hack (he shopped at a T.J. Maxx store), tried to report that his credit card was charged $6,700 for purchases he did not make.
Mr. Walega said he went from a company hotline and web site looking for ways to report what had happened before he was finally told to write a letter and mail it to TJX headquarters in Framingham, Mass.
“It’s so frustrating. I want to give them a tip, and all I get is the run around,” he said. “Honest people are trying to help them, and it doesn’t seem like they care.”
TJX spokeswoman Sherry Lang called the handling of Mr. Walega’s case an “unfortunate customer experience.”
For its part, TJX has taken many of the steps necessary to deal with this incident, but some believe that it has hurt more than helped its case with consumers in a number of ways.
Critics say TJX is not sharing enough information with consumers and is leaving it up to banks and credit card companies to make its own shoppers aware they may be at risk.
The company has also put itself in a bad position by waiting a month to announce what it has called an “unauthorized intrusion” into its systems instead of getting the word out more quickly.
Mike Lawrence, executive vice president of crisis prevention and management at Cone Inc., said he would have liked to have seen TJX call a news conference with its executives and law enforcement professionals to publicly discuss what had happened and next steps. It also should have trotted out new companies responsible for computer security to assure consumers every step was being taken to prevent any further breaches.
“I’d get the CEO out to the stores to talk to and reassure employees and customers, whatever they can do to instill confidence in the company’s ability to fix the problem and help customers if they’ve been affected,” said John Isaf, a senior vice president and director at Arnold Corporate Communications.
According to the Globe, TJX chairman and CEO, Ben Cammarata, has not made any public comments on the situation.
Discussion Questions: What is your assessment of how TJX has handled this matter from a consumer communication standpoint and what, if anything, it should do that it has not yet done? Will TJX’s handling of this matter have an impact on sales in its T.J. Maxx and/or Marshalls?
BrainTrust
Recent Discussions
Discussion Questions
Poll
This is yet another example of how an organization’s Master System processes High-Intensity Information. In this case, the H-I Information is the threatening and embarrassing information that TJX had a security breach. It appears that TJX’s Master System is blocking this information from flowing out of the company, where it would be threatening and embarrassing again. The Master System is justifying this with information along the lines of, “Look, we don’t anyone to know this happened. It will make us look bad.” But it did become known through other channels, and yes, it makes the company look bad, and the company’s withholding this information makes it look even worse. This is not effective processing of this information. There is a common assumption that being open about a problem like this will hurt you, but this assumption has proven to be false.
It’s hard for me to fault TJX’s management, since they are controlled by the Master System, just like everyone else in their organization. This doesn’t mean that they did the right thing; it only means that their failure to act openly is not a personal failing: it is an organization-system failing.
Tenser’s three rules for good customer relations:
#1 Have a plan in place to do the right thing.
#2 Do the right thing.
#3 When wrong things happen, refer to rules #1 and #2.
In this unfortunate instance, TJX had no plan and it failed to do the right thing. It surely didn’t allow the hacker’s intrusion on purpose, but as the hackeneyed old saying goes, “failure to plan is planning to fail.”
So here’s a wake-up call to senior managers. If you can’t state at this second that you have a sound customer relations plan in place to address your company’s response to inevitable attacks on your customers’ privacy, you are failing in your fiduciary responsibilities and you should have all your backdated stock options, golden parachutes and country club memberships immediately revoked.
Yes, unexpected things happen. But there simply are no excuses for letting your customers down this way. Period.
It sounds like they weren’t sure what to do and took too long to do anything. I can sympathize with the panic and frustration they must have felt when they discovered this, but that doesn’t excuse their late and less than effective actions to date. I feel that they need to be proactive and do everything possible to assist their employees to handle this correctly. And even more importantly they need to be a resource to their customers. I can only imagine how maddening it must be to try to reach them and be told to write them a letter. Most customers will be understanding and forgiving if they feel that the company is on top of it and trying their best to get things right. Why is it that so many CEOs get “stage fright” and are unavailable when they are most needed? You would think with the compensation they receive that they could be expected to handle a little PR when it’s most needed.
Trust is a significant component of customer loyalty. If customers can’t EASILY communicate with the company, that hurts trust. If customers don’t get a response to critical issues quickly, that hurts trust. If companies are not proactive in difficult situations, that hurts trust. If companies do not communicate their apology AND the steps being taken to resolve the issues AND recourse for consumers, that hurts trust. The amount of media airing and distribution determines how widespread the issue becomes. Choosing to wait to do anything, waiting for a letter in the mail system to reach the company to be alerted to a problem, not proactively contacting those customers (individually if you still have copies of the records or by mass media) all undermine the company’s ability to keep the trust and loyalty of consumers.
I’ve had a similar experience to Mr. Walega, not in losing the identity, but in trying to explain to a major retailer the problem I had with getting “spoofed” and receiving “phishing,” ostensibly from their company.
I can understand the general public not understanding these concepts, but for a major multi-billion dollar player in e-commerce to not be able to communicate with a customer about these matters, borders on criminal incompetence. I gave up on trying to help them with their problem. They seemed incapable of understanding that they had one.
Two of the most irritating and meaningless gestures a company can make at the moment are “all we can do is apologise” and “we have already started learning lessons and correcting our mistakes to ensure the problem doesn’t happen again” don’t even seem to have been offered in this case.
I wonder, has the company stopped trying to sell their customers on the idea of loyalty? Whether deliberately or not, I am sure that they have inadvertently done so by their apparent disinterest in this event. Those who have already pointed out that there should have been a contingency plan ready and waiting are absolutely right. It won’t help those effected by this little fiasco–internally or externally–but it might just begin to restore a little bit of the company’s credibility if they open up enough to say precisely what steps they are taking to ensure they can quickly and efficiently deal with future problems. If all retailers had the same attitude, they might just as well throw away all their computers and write off any investment they have made in them.
Every company needs a Privacy Officer to oversee company policies and to handle situations like this. Quick disclosure communicates concern; hesitation hurts consumer confidence and the business itself. Trust is earned over time.
In my experience, a company always comes out better if they communicate quickly and decisively.
These “whoops!” moments that we seem to see so regularly just amaze me! In this day and age, any company which does not have plans in place to handle a variety of potential public relations disasters is just asking for trouble. At the very least they should know in advance what they would do for a hostage situation, a product tampering or contamination situation, a privacy/compromised financial data situation, the sudden loss of a key executive due to malfeasance or criminal activity, etc., etc.
Of course, one hopes that the plans would never need to be used but having plans that are regularly reviewed and updated and known to key people who are authorized to implement should be part of any company’s base business plan.
The fact that TJX waited a month (the Christmas shopping month) to announce a security breach makes them look kind of sleazy, although it may have just been incompetent response due to poor planning.
There have been so many security breaches involving so many companies that it’s unlikely TJX’s brands will be significantly hurt. It’s disappointing that the company’s announcement came a month after the breach was discovered. I’m sure that TJX didn’t want to panic their customers during the Christmas rush, and it does take time to evaluate a problem.
More Discussions
Is Five Below Poised For Even Greater Growth?
Five Below is hitting serious growth numbers. Can this trend continue?Should IKEA Be Flattening Management?
Should IKEA be trimming down its management headcount?Is Legislation the Answer on Visa, Mastercard Swipe Fees as ~$200 Billion Record Is Set?
Is lawmaking the way forward on swipe fees?
This is yet another example of how an organization’s Master System processes High-Intensity Information. In this case, the H-I Information is the threatening and embarrassing information that TJX had a security breach. It appears that TJX’s Master System is blocking this information from flowing out of the company, where it would be threatening and embarrassing again. The Master System is justifying this with information along the lines of, “Look, we don’t anyone to know this happened. It will make us look bad.” But it did become known through other channels, and yes, it makes the company look bad, and the company’s withholding this information makes it look even worse. This is not effective processing of this information. There is a common assumption that being open about a problem like this will hurt you, but this assumption has proven to be false.
It’s hard for me to fault TJX’s management, since they are controlled by the Master System, just like everyone else in their organization. This doesn’t mean that they did the right thing; it only means that their failure to act openly is not a personal failing: it is an organization-system failing.
Tenser’s three rules for good customer relations:
#1 Have a plan in place to do the right thing.
#2 Do the right thing.
#3 When wrong things happen, refer to rules #1 and #2.
In this unfortunate instance, TJX had no plan and it failed to do the right thing. It surely didn’t allow the hacker’s intrusion on purpose, but as the hackeneyed old saying goes, “failure to plan is planning to fail.”
So here’s a wake-up call to senior managers. If you can’t state at this second that you have a sound customer relations plan in place to address your company’s response to inevitable attacks on your customers’ privacy, you are failing in your fiduciary responsibilities and you should have all your backdated stock options, golden parachutes and country club memberships immediately revoked.
Yes, unexpected things happen. But there simply are no excuses for letting your customers down this way. Period.
It sounds like they weren’t sure what to do and took too long to do anything. I can sympathize with the panic and frustration they must have felt when they discovered this, but that doesn’t excuse their late and less than effective actions to date. I feel that they need to be proactive and do everything possible to assist their employees to handle this correctly. And even more importantly they need to be a resource to their customers. I can only imagine how maddening it must be to try to reach them and be told to write them a letter. Most customers will be understanding and forgiving if they feel that the company is on top of it and trying their best to get things right. Why is it that so many CEOs get “stage fright” and are unavailable when they are most needed? You would think with the compensation they receive that they could be expected to handle a little PR when it’s most needed.
Trust is a significant component of customer loyalty. If customers can’t EASILY communicate with the company, that hurts trust. If customers don’t get a response to critical issues quickly, that hurts trust. If companies are not proactive in difficult situations, that hurts trust. If companies do not communicate their apology AND the steps being taken to resolve the issues AND recourse for consumers, that hurts trust. The amount of media airing and distribution determines how widespread the issue becomes. Choosing to wait to do anything, waiting for a letter in the mail system to reach the company to be alerted to a problem, not proactively contacting those customers (individually if you still have copies of the records or by mass media) all undermine the company’s ability to keep the trust and loyalty of consumers.
I’ve had a similar experience to Mr. Walega, not in losing the identity, but in trying to explain to a major retailer the problem I had with getting “spoofed” and receiving “phishing,” ostensibly from their company.
I can understand the general public not understanding these concepts, but for a major multi-billion dollar player in e-commerce to not be able to communicate with a customer about these matters, borders on criminal incompetence. I gave up on trying to help them with their problem. They seemed incapable of understanding that they had one.
Two of the most irritating and meaningless gestures a company can make at the moment are “all we can do is apologise” and “we have already started learning lessons and correcting our mistakes to ensure the problem doesn’t happen again” don’t even seem to have been offered in this case.
I wonder, has the company stopped trying to sell their customers on the idea of loyalty? Whether deliberately or not, I am sure that they have inadvertently done so by their apparent disinterest in this event. Those who have already pointed out that there should have been a contingency plan ready and waiting are absolutely right. It won’t help those effected by this little fiasco–internally or externally–but it might just begin to restore a little bit of the company’s credibility if they open up enough to say precisely what steps they are taking to ensure they can quickly and efficiently deal with future problems. If all retailers had the same attitude, they might just as well throw away all their computers and write off any investment they have made in them.
Every company needs a Privacy Officer to oversee company policies and to handle situations like this. Quick disclosure communicates concern; hesitation hurts consumer confidence and the business itself. Trust is earned over time.
In my experience, a company always comes out better if they communicate quickly and decisively.
These “whoops!” moments that we seem to see so regularly just amaze me! In this day and age, any company which does not have plans in place to handle a variety of potential public relations disasters is just asking for trouble. At the very least they should know in advance what they would do for a hostage situation, a product tampering or contamination situation, a privacy/compromised financial data situation, the sudden loss of a key executive due to malfeasance or criminal activity, etc., etc.
Of course, one hopes that the plans would never need to be used but having plans that are regularly reviewed and updated and known to key people who are authorized to implement should be part of any company’s base business plan.
The fact that TJX waited a month (the Christmas shopping month) to announce a security breach makes them look kind of sleazy, although it may have just been incompetent response due to poor planning.
There have been so many security breaches involving so many companies that it’s unlikely TJX’s brands will be significantly hurt. It’s disappointing that the company’s announcement came a month after the breach was discovered. I’m sure that TJX didn’t want to panic their customers during the Christmas rush, and it does take time to evaluate a problem.