TJX was back in the news this week, reporting that its bottom line took a second-quarter beating because of the massive security breach that exposed more than 45 million customers to identity fraud.
The retail giant says it has spent $256 million dealing with the breach, which was first disclosed in January. That’s more than 10 times the $25 million figure TJX cited in May.
If anyone feels sorry for TJX, they’re not expressing themselves in the blogosphere. Instead, security bloggers are expressing a hope that I share — that maybe, just maybe, corporations in general will look at TJX’s plunging profits and be scared into taking security more seriously.
Carlo Longino noted in the Techdirt blog that while personal data leaks continue to occur on a regular basis, few companies or government agencies seem to be taking the problem seriously. “This is mostly because after the initial bout of bad PR, the repercussions are minimal, so few groups bother to spend the time and resources needed to put proper preventative measures in place,” he wrote. “Perhaps, though, that will begin to change as the costs of these data leaks and breaches become more publicized.”
He said that while it doesn’t appear that TJX was paying much attention to security, a 25 cent per share loss will surely make investors take notice and “hopefully, [that] will force companies to take data leaks and security more seriously.”
Or, as some suggest, it’s likely nothing will change.
Blogger Evan Schuman noted in his Storefront Backtalk blog that the TJX numbers can be sliced, diced and spun to look worse than it initially appears or better. It’s all in the spin.
“First, the optimistic side. TJX did not, in fact, say that it actually has spent—or necessarily will spend—anything more than a tiny fraction of those dollars,” Schuman wrote. “The overwhelmingly largest charge—a $107 million after-tax figure for the chain’s second 2008 fiscal quarter—was merely a ‘reserve, a nest-egg for what TJX fears its costs may be. Theoretically, its costs might be much lower.”
Continuing on the bright side, he wrote, those costs are not causing severe financial strain on the $17 billion company, “especially given the fact that its revenue is still soaring, meaning that consumers have strongly embraced TJX and their retail choices are presumably not being impacted by the breach.”
On the downside, he wrote, the price may still prove high for a company that may ultimately be proven to have done no wrong.
Still, he wrote, “Courts and juries typically wouldn’t hold TJX accountable for its security quality as long as it was within the range typical for that size and type of a retail organization. That means that as long as there are plenty of examples of similarly-sized retailers whose security is every bit as lax—or, for that matter, strict—as TJX, they’re likely to emerge unscathed.”
Indeed, TJX is such a massive company that this financial hit may in the end prove to be a mere drop in the bucket. And that’s sad, because credit card holders will still be hurt and the message is that if you’re large enough a company you can get away with hurting people.
Of course, if you look hard enough, you’ll find examples of companies that do pay the ultimate price for lax security. Dave Jevans noted in his Privacy and Identity Theft blog that IT contractor Verus Inc. was forced to fold after being blamed for security breaches at five or more hospitals across the country. The headline of his entry, “The high cost of data breaches,” says it all.
Now for my two cents:
Companies only learn from their mistakes when customers, investors and major partners threaten to walk away. Take the case of CardSystems Solutions.
In 2005, CardSystems disclosed that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more, and in the aftermatch Visa and MasterCard threatened to terminate it as a transactions processor. As my colleague Mike Mimoso noted in his story on companies that cleaned up after a data breach, “The death watch was on, something CEO John Perry confirmed before Congress where he said his company faced ‘imminent extinction’ because of Visa and MasterCard’s action.”
But CardSystems came back from the brink, hiring AmbironTrustWave to perform a forensic analysis and consult on compliance, among other things. Eventually, the company improved the security of its systems just enough that they became a viable candidate for acquisition. In October 2005, Pay By Touch announced it was acquiring substantially all of CardSystem’s assets.
Had MasterCard and Visa not threatened to dump CardSystems, it’s a reasonable bet that the company would have kept chugging along with no motivation to better its security.
In the final analysis, the big guys like TJX and others will only do as much as they are forced to do to take security more seriously. Maybe the costs to date mean nothing to TJX. But if investors and customers turned up the heat and kept it going, the potential losses would simply be too much to ignore.
In the kingdom of commerce, the people rule — when they feel like it.
About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.
