"Lax?" How about "no" security?
Frankly, if this doesn't put TJX out of business, there is no justice whatsoever in the world. In my professional opinion (I'm in I.T. on the day job, and I own and operate an Internet hosting firm the other 24 hours/day :-| ), this sort of complete and utter disregard for the security of customer information is criminal; TJX might just as well havge called up the Russian Mafia and *asked* them to come steal customer identities.
Of course, the employees who set up the network for TJX might not have been well-trained, nor even told what the network was to be used for. When you hire people at Minimum Wage, you're unlikely to get the best-qualified people available - and the installation wasn't something that could be outsourced to qualified-but-cheap offshore firms, was it?