Personally, I think that TJX should have been fined more, lost more shareholder value, and certainly seen a significant drop in its customer base and retail sales revenue. None of those things ever really happened. Responsible for the largest breach of consumer data in history (at least until they got trumped by Heartland this week), TJX received little more than a symbolic slap on the wrist. They announced two years ago in response to the breach that they would hold a "Customer Appreciation Day" sale.
I choose not to give TJX any of my money, but for those who do still shop there and might like to take advantage of this gesture, I think that their timing and lack of marketing around this promotion shows a complete and utter lack of appreciation for their customers. By announcing their "Customer Appreciation Day" only one day before holding it on a random Thursday in the middle of a week two years after stating they wanted to give back to the customers they betrayed, TJX is simply demonstrating that they'd like to be able to say they held true to their commitment while also ensuring that as few people as possible actually take part in or benefit from their promotion.
So, I am not going to shop there, but I hope you will. Spread the word. Tell your friends. Go on your lunch break. Buy as much as you can for 15% off (although they probably artificially inflated the retail prices so that they won't actually lose 15%). Whatever you do though- bring cash. I wouldn't trust TJX with any credit card data or sensitive information.
Careful reading of the indictments of the TJX data thieves show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. The TJX break-in was not as bad as we were led to believe. –Ben
Reading the story you linked, I respectfully disagree with their conclusion. It may be true that the extent of the actual fraud is not near what TJX paid (although it also may be that there is significantly more- or still will be significantly more).
However, that is not the point. TJX was required to protect data that they failed to protect. Once that failure was detected, the industry had an obligation to respond proactively to address the issue and protect consumers. You can’t just do nothing, put the burden on consumers to watch their own accounts for suspicious activity, and withhold judgment of the offending company until you later determine the actual damages.
In almost every data security breach the extent of the breach is theoretical. In other words, if a company loses a backup tape with 5 million customer credit cards on it, the breach is assumed to be 5 million customer credit cards even if the tape actually got incinerated and none of the data ever really becomes compromised.
Regardless of all of that- it was still shady and underhanded of TJX to schedule their “Customer Appreciation” day on a random Thursday with 24 hours notice. Not very appreciative.