TJX Says Breach Costs May Exceed $150 Million

Computerworld - The TJX Companies Inc. last week reported that losses from a massive data breach it disclosed in January could surpass $150 million, which analysts say makes the crime the costliest such incident to date.

The Framingham, Mass.-based discount retailer in March acknowledged that 45.6 million customer credit and debit card numbers were stolen from one of its systems over a period of more than 18 months.

We have continued to learn more about the computer intrusion(s) and are now able to estimate the companys liability, said Carol Meyrowitz, president and CEO of TJX, in a statement.

Last week, TJX reported a charge of $118 million in its second quarter, which ended July 28, to cover potential costs related to the breach. The company said it expects to incur additional noncash charges of $21 million during its 2009 fiscal year.

The new charges are in addition to the $25 million set aside in the previous two quarters to cover breach costs.

Meyrowitz noted that the company over the past months [has] worked diligently to further strengthen the security of our computer systems.

Deven Bhatt, director of corporate security at Arlington, Va.-based Airlines Reporting Corp., said the rising costs of the TJX breach should help him convey the importance of heavy security investments to top management at his firm, which provides ticket distribution and settlement services to more than 145 air and rail carriers.

Bhatt said that while he was not surprised by TJXs projections of its breach-related costs, top executives at Airlines Reporting were amazed when he showed them TJXs Securities and Exchange Commission filings.

They definitely were shocked, Bhatt said. It definitely helps security guys like me to make a solid business case. Its a lot cheaper to protect than to do cleanup.

Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc., said the costs of the TJX breach are likely to increase significantly.

They have incurred about a third to a half of the costs they could end up having to pay, Litan estimated. They are facing potentially expensive litigation. Theres never been anything this big in terms of the breach itself and its cost implications.

Litan predicted that the breach will ultimately cost TJX about $500 million.

Lawsuits related to the breach have already been filed against TJX by the Massachusetts Bankers Association, the Arkansas Carpenters Pension Fund and the Merchant Law Group.

Several more states are actively contemplating lawsuits against the retailer, according to an analyst who is helping one state with such litigation.

Another analyst, Khalid Kark at Forrester Research Inc., also predicted that the total costs will far exceed the TJX estimate. The first-year costs are significant. But we tend to underestimate the costs over time, especially from lawsuits, Kark said.

He said the final costs to TJX could approach $1 billion.

Despite the charges, TJX reported strong second-quarter results, with sales increasing by 9% to $4.3 billion.

Even so, the scope of the breach costs should convince companies that are on the fence to invest heavily on security fixes, Litan said.

Strengthening data security, she said, is much less expensive than responding to a security breach.

Read more about Security in Computerworld's Security Topic Center.