TJX says breach costs may exceed $150M

Computerworld - TJX Companies Inc. yesterday disclosed that losses from the massive data breach disclosed in January could reach well over $150 million, which analysts said make it the costliest theft to date.

The company in January acknowledged that 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc., making the TJX compromise the worst ever involving the loss of personal data.

The Framingham, Mass.-based discount retailer Tuesday reported  after-tax charges of $118 million in its second quarter ended July 28 to cover potential losses because of the data breach.

The charge includes $11 million in costs incurred during the quarter and a reserve of $107 million to cover potential future losses related to the breach. The reserves reflect the company's best estimation of probable future costs stemming from litigation, cash liabilities, investigations and other claims, the company said.

In addition, TJX yesterday said it expects to incur noncash charges of around $21 million during fiscal 2009 that are not included in the reserve fund.

"Together, these cash and noncash charges represent the Company's best estimate of the total losses the Company expects to incur as a result of the computer intrusion(s)," TJX said in a statement accompanying its quarterly results.

Yesterday's numbers come on top of the $25 million in after-tax costs TJX reported in the two previous quarters in connection with the breach.

Deven Bhatt, director of corporate security at Airline Reporting Corp., said the rising costs related to the TJX breach should help him convince management of the importance of heavy security investments.

Bhatt said he is not surprised by the projected costs of the breach, but noted that top executives at the  Arlington, Va.-based provider of ticket distribution and settlement services to more than 145 air and rail carriers were when he showed them  TJX’s SEC filings.

“They definitely were shocked,” by the numbers, Bhatt said. “It definitely helps security guys like me to make a solid business case. It’s a lot cheaper to protect than to do cleanup.”

As high as the costs disclosed by TJX are, the total could easily go even higher over the longer term, warned Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc.

"They have incurred about a third to a half of the costs they could end up having to pay," for the breach, Litan estimated. "They are facing potentially expensive and extensive litigation, which is why they have reserved more for losses. There's never been anything this big in terms of the breach itself and its cost implications."