Late week I wrote about what retailer TJX had done wrong leading up to its recent widely reported security lapse.This week's column is about what TJX has done wrong since the lapse was discovered.

In spite of full-page ads in the Boston Globe and Boston Herald in the last two days, the extent of the security lapse is still not known because TJX has steadfastly refused to provide any concrete information. The lack of information provides fertile ground for speculation -- for example, published reports last week that as many as 30% of all New Englanders may have been impacted. On Jan. 26, TJX announced it had hired John Gilbert, formerly with Dunkin' Donuts, as chief marketing officer. Maybe he is smart enough to understand that stonewalling is the worst possible reaction to a problem. Everything will come out in the end, and in this case it may come out with the president of TJX testifying on national TV in front of Congress. It is far better to provide more information than is being requested so it does not look like you are covering up.

Maybe TJX feels it cannot do this because it is covering up. Originally TJX maintained that it delayed making a public announcement at the request of law enforcement only to later admit the delay was in part a "business decision" and now, in the ads, the company says it was "in the best interest of our customers." Yeah -- the best interest of customers was to keep them in the dark until they finished their Christmas shopping. In the end, TJX only admitted to a problem after the first Wall Street Journal report.

TJX has still not said how many cards were exposed, yet some information must exist because banks are quite busy contacting their customers and replacing cards (including my wife's). At the very least, TJX could tell its customers -- the folks whose trust it has to retain in order to stay in business -- what TJX told the banks. Delaying will increase rather than decrease the pain when the numbers do come out.

Unlike most organizations that have had similar, although far smaller, breaches, TJX has not said it would protect customers by buying credit watch services for them. I expect the company will have to do so at some point but because it is delaying so long, it's clear that protecting customers has not been a concern for TJX and it will only do so when forced.

Whitepapers

• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology
• Vulnerability Management For Dummies

View more SECURITY whitepapers

Webcasts

• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports