Not much naughtier than other retailers:
I’d say yes to coal for most of the major retailers for dropping the ball on security. Bigger chunks of coal need to go to state legislators and the U.S. House and Senate for failing to pass any laws protecting consumer data (although Minnesota got quite close). But to TJX? I’d give it a pass.
TJX theorized—correctly—that any breach wouldn’t cause any impact on sales, as consumers (protected by the card brands’ zero-liability deals) would stand by it. With that regrettable fact out there, it would have been extremely difficult for TJX to have justified spending much more than it did.
“Justified” in the last quoted sentence means “justified to shareholders”.
There’s gotta be a dissertation out there about herd behavior in the face of the inability to measure the effect of behaviors on outcomes. It explains way more than I wish it did about infosec resource allocation decisions.
Pic via The Daisy Museum (in downtown Rogers, Arkansas).