TJX says breach costs may exceed $150M

Takes $118M second-quarter charge to cover some expected losses

TJX Companies Inc. yesterday disclosed that losses from the massive data breach disclosed in January could reach well over $150 million, which analysts said make it the costliest theft to date.

The company in January acknowledged that 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc., making the TJX compromise the worst ever involving the loss of personal data.

The Framingham, Mass.-based discount retailer Tuesday reported  after-tax charges of $118 million in its second quarter ended July 28 to cover potential losses because of the data breach.

The charge includes $11 million in costs incurred during the quarter and a reserve of $107 million to cover potential future losses related to the breach. The reserves reflect the company's best estimation of probable future costs stemming from litigation, cash liabilities, investigations and other claims, the company said.

In addition, TJX yesterday said it expects to incur noncash charges of around $21 million during fiscal 2009 that are not included in the reserve fund.

"Together, these cash and noncash charges represent the Company's best estimate of the total losses the Company expects to incur as a result of the computer intrusion(s)," TJX said in a statement accompanying its quarterly results.

Yesterday's numbers come on top of the $25 million in after-tax costs TJX reported in the two previous quarters in connection with the breach.

Deven Bhatt, director of corporate security at Airline Reporting Corp., said the rising costs related to the TJX breach should help him convince management of the importance of heavy security investments.

Bhatt said he is not surprised by the projected costs of the breach, but noted that top executives at the  Arlington, Va.-based provider of ticket distribution and settlement services to more than 145 air and rail carriers were when he showed them  TJX’s SEC filings.

“They definitely were shocked,” by the numbers, Bhatt said. “It definitely helps security guys like me to make a solid business case. It’s a lot cheaper to protect than to do cleanup.”

As high as the costs disclosed by TJX are, the total could easily go even higher over the longer term, warned Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc.

"They have incurred about a third to a half of the costs they could end up having to pay," for the breach, Litan estimated. "They are facing potentially expensive and extensive litigation, which is why they have reserved more for losses. There's never been anything this big in terms of the breach itself and its cost implications."

Litan said the breach will likely cost TJX about $500 million over the long term.

TJX, which owns retail companies such T.J.Maxx, Marshalls and Bob's Stores, disclosed in January that someone had broken into computer systems and illegally accessed credit card data of customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland.

The disclosure prompted several lawsuits, including one by the Massachusetts Bankers Association, which seeks tens of millions of dollars in restitution for banks that were forced to block and reissue thousands of debit cards. The Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock, and the Merchant Law Group LLP in Canada have filed other lawsuits.

Several more states are actively contemplating lawsuits against the retailer, according to an analyst who is helping one state with such litigation. Such litigation could end up costing TJX millions of additional dollars, said the analyst, who requested anonymity.

The TJX breach and its anticipated costs should serve as a "wake-up call that current security approaches are not working," said Bill Bartow, vice president of marketing at security vendor Tizor Inc. in  Maynard, Mass. Like Litan, Bartow also expects that the costs associated with the intrusions could be much higher than the current TJX estimates.

Khalid Kark, an analyst at Cambridge, Mass.-based Forrester Research Inc., said the latest disclosure by TJX supports his earlier prediction that the breach will ultimately cost the retailer close to $1 billion.

"The first-year costs are significant," Kark said. "But we tend to underestimate the costs over time," especially from lawsuits that play out over several years. "There's no way to figure out how much this thing is going to cost them in the long run."

Despite the charges, TJX reported strong second-quarter results. Sales in the period increased by 9% to $4.3 billion from $3.9 billion a year earlier. Sales for the first six months of the fiscal year are up by 7%, the company said. Similarly, the company's stock prices have for the most part not been affected by the breach.

Even so, the sheer scope of its breach-related costs should convince "people who are on the fence" to spend the millions of dollars they sometimes need on security fixes, Litan said. "Strengthening data security is much less expensive than responding to a security breach." The TJX breach gives "security managers a strong business case," for seeking additional investments in information security, she added.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon