The Meaning Of TJX’s $168 Million Data Breach Cost

Written by Evan Schuman
August 15th, 2007

When the $17 billion retailer reported that pre-tax $168 million possible hit for its data breach, did it see it as anything more than a cost of doing business? And a minor cost at that?

With all of the numbers that TJX issued in its Tuesday earnings statement, the one that has generated the most attention was a $168 million estimated hit associated with the data breach announced in January, which saw consumer information from an estimated 46 million debit and credit cards walk out the door.

The numbers were sliced and diced many ways. There was about $118 million in after-tax costs taken in the most recent quarter alone, plus $21 million projected as a possible hit for next year on top of $29 million already reported in prior quarters. The Boston Globe quoted a TJX official saying that the $118 million quarterly after-tax figure was about $196 million pre-tax and that the $21 million for next year was about $35 million pretax. A chart issued by TJX gives a six-month data breach cost of $215.9 million, without explanation.

But a closer look at those numbers suggests both a more dire and a more optimistic perspective.

First, the optimistic side. TJX did not, in fact, say that it actually has spent?or necessarily will spend?anything more than a tiny fraction of those dollars. The overwhelmingly largest charge?a $107 million after-tax figure for the chain’s second 2008 fiscal quarter?was merely a “reserve,” a nestegg for what TJX fears its costs may be. Theoretically, its costs might be much lower.

Continuing on the optimistic side, those costs are not causing severe financial strain on the $17 billion retail giant, especially given the fact that it’s revenue is still soaring, meaning that consumers have strongly embraced TJX and their retail choices are presumably not being impacted by the breach. For the six months ending July 28, 2007, the chain reported $8.4 billion in revenue, which is an almost 8 percent increase from the $7.8 billion it reported for the prior year’s identical quarter.

Are these figures merely the cost of doing business and an acceptable cost at that? To get a sense of that, it’s important to drill down into what these numbers truly represent.

TJX’s official word on their cash reserve need is that it represents TJX’s “estimation of probable losses, in accordance with generally accepted accounting principles, based on the information available to the Company as of August 14, 2007, and includes an estimation of total, potential cash liabilities from pending litigation, proceedings, investigations and other claims, as well as legal and other costs and expenses, arising from the intrusion.”

Given the cost of updating security systems for a chain this large as well as legal fees for merely dealing with the many civil lawsuits that arose from the breach’s disclosure, those are not particularly large figures. Indeed, it’s hard to argue that the estimates assume TJX will face relatively small jury awards, assuming any of this litigation ever gets to a jury.

What does all of this mean for retailers trying to decide the cost of being breached? On the plus side, TJX thinks that it will do well in most?if not all?of its litigation defenses, including costs to be associated with an expected settlement with dozens of state Attorneys General.

On the negative side, that’s quite a high pricetag for a company that may ultimately be proven to have done no wrong. Please note the emphasis on proven, to avoid angry E-mails from readers who confuse what’s provably wrong with what is actually wrong. Provably wrong involves what damages can be proven at trial and can be reasonably blamed on TJX. Will juries and judges view TJX as a victim of brilliant cyber thieves or as a massive company that cut corners and was reckless with consumer private information? TJX seems to be betting with the former.

Another critical consideration at trial would be whether TJX’s security operations were managed within the norms of that industry segment. Did it perform its security within the customs of large retail IT shops?

In short, courts and juries typically wouldn’t hold TJX accountable for it’s security quality as long as it was within the range typical for that size and type of a retail organization. That means that as long as there are plenty of examples of similarly-sized retailers whose security is every bit as lax?or, for that matter, strict?as TJX, they’re likely to emerge unscathed.

A big open question is how how bad TJX’s IT security procedures will look when full light is shed. Today, there is a relatively little known about how the data breaches happened. There have been numerous media reports about various ways the breach might have started, including a wireless attack and hot-wiring USB drives in the back of non-firewall-protected in-store job-application kiosks.

But TJX has confirmed none of it and some attorneys involved in the TJX litigation express doubt whether even TJX knows for certain how it began. They know?to a limited extent?what was taken and they found various security holes after the fact, but establishing which hole was necessarily used in a specific attack is much more complex. Given that TJX has reported the breaches occurred over multiple years, pinpointing a precise initial cause?assuming there even was one specific cause?is not easy.

Getting back to the data breach costs, these figures represent a huge cost for a company that may skate on many of the civil accusations. If that’s the cost of winning, what will the cost look like if it starts to lose?

Another consideration is how applicable the TJX costs are for other retailers. The way TJX is corporately branded may be dramatically lowering their costs.

The media headlines?and those headlines have been much more numerous in the business and trade press than in the consumer press?have all focused on TJX. Many customers may indeed be wary of giving their credit cards to TJX, but don’t realize that Marshalls, HomeGoods, A.J. Wright, Bob’s Stores, Winners and Homesense are all part of the chain. Even the brands closest to the parent company’s name?T.J. Maxx and T.K. Maxx?are not dead-ringers for TJX.

If this kind of a breach hit Wal-Mart, Rite-Aid, CircuitCity or the vast majority of other major retail chains that brand all of their stores with the corporate name, that consumer confusion wouldn’t help.

Mark Rasch, the former head of the U.S. Justice Department’s high-tech crimes group and today an attorney specializing in retail security, said it’s hard for a retailer to walk away from the TJX incident and not be shaken.

“Right now, the bulk of the losses are due to the investigation, locking down their system, preventing it from happening in the future and litigating the cases,” he said. “That’s millions of dollars in losses before a single judgment is entered or made. Even if they win all of their cases, they are going to have to pay a lot.”

Steve Rowen, a security analyst with Retail Systems Research, sees an uncertain TJX future, but said that the chain’s customers hold much clout and, thus far, those consumers haven’t been moved very much.

“What we?ve really confirmed from the TJX breach is that customers blame criminals, not retailers. Therefore, TJ Maxx, Marshall?s and virtually all off-price retailers are still full of customers. In fact, the parking lots were full in the days immediately following the breach announcement. I checked,” Rowen said. “But that simply does not mitigate in any way the cost of such an event. Bank-driven class actions are yet to be determined. FTC fines are yet to be determined. This will be the first case where the retailer gets handed the bill and that?s why every other retailer should be scrambling to become compliant.”

Many are positioning this as an argument about retail security and whether TJX’s less-than-stringent security execution?assuming it turns out to be less than stringent?will cause them financial hardship. But in quite a few ways, the TJX outcome may have less to do with retail IT security and more to do with the legal system in the U.S..

The retailer’s 9-figure exposure is not based on their losing legal actions or facing huge fines. That may indeed happen, but the figures are based on the assumption that most fines will be small and court awards will be trivial. These costs are the costs that any deep-pocketed retailer must pay to defend itself against the litigation and various investigations.

If TJX ultimately proves to have been reckless, then these fees may have a basis. But if in the final analysis, TJX is found to have done little wrong that most other similarly-sized retailers weren’t doing and it still is paying out more than $100 million, there is something very wrong with the system.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.