TJX breach-related expenses: $17M and counting

The company took a $12M after-tax charge in its last quarter

The TJX Companies Inc. today announced that it took a $12 million after-tax charge for the quarter ending April 28 in connection with the massive data breach it disclosed in January.

The charge of 3 cents per share included the costs involved in investigating and containing the intrusion, beefing up computer security, communicating with customers, and various legal and other fees, the company said in its first quarter earnings statement.

The company expects to incur a similar charge of 2 cents to 3 cents per share in the second quarter, as well, TJX said. It also warned investors of even more potential costs down the road. "TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses," TJX said in its statement.

The Framingham, Mass.-based TJX owns several retail brands, including T.J.Maxx, Marshalls and Bob's Stores.

In January, the company announced that someone had broken into its payment systems and illegally accessed card data belonging to customers in the U.S., Canada, Puerto Rico, the U.K. and Ireland. In filings with the U.S. Securities and Exchange Commission in March, the company said 45.6 million credit and debit card numbers were stolen over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc. and made the TJX compromise the worst ever in terms of the loss of payment card data.

The $12 million charge comes on top of the $5 million in breach-related costs cited by TJX in the previous quarter. And that may just be the tip of the iceberg, said Khalid Kark, an analyst at Forrester Research Inc. in Cambridge, Mass., who released a report last month on all the factors that need to be included when totaling data breach costs.

Apart from direct expenses related to breach discovery, response and notification, companies also incur a variety of other costs such as those stemming from regulatory fines, lawsuits, and additional security and audit requirements. Several lawsuits have already been filed against TJX, including one by the Massachusetts Bankers Association seeking tens of millions in restitution for banks that were forced to block and reissue thousands of debit cards following the breach.

There are also somewhat less tangible costs such as lost employee productivity and opportunity costs that need to be factored in, Kark said. The expenses disclosed by TJX could be "just a fraction" of what the breach could eventually end up costing the company.

"This is something that is going to play out over years," he said.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon