The TJX data breach: Why loss estimates are overblown

The TJX data breach: Why loss estimates are overblown

Summary: George Ou outlines the perils of failing to secure your wireless network via the TJX data breach, but don't expect a massive financial hit from this security lapse. Ou cites a bevy of estimates regarding TJX's financial hit due to the loss of at least 45.

SHARE:
TOPICS: Big Data
12

George Ou outlines the perils of failing to secure your wireless network via the TJX data breach, but don't expect a massive financial hit from this security lapse.

Ou cites a bevy of estimates regarding TJX's financial hit due to the loss of at least 45.7 million data and credit card numbers. The range for these losses: $1 billion to $4.5 billion. Many assume a cost of $100 per lost record or more.

I'll believe it when I see it.

Thus far, TJX has taken a pre-tax charge of $5 million due to the computer intrusion. According to TJX's annual report this tally "includes costs incurred to investigate and contain the computer intrusion, strengthen computer security and systems, and communicate with customers, as well as technical, legal, and other fees."

TJX says it doesn't have enough information to "reasonably estimate losses we may incur." Of course that hasn't stopped folks from guessing at total losses.

Just to be safe TJX has stopped buying back its stock. In the end, TJX's balance sheet is healthier than ever. J.P. Morgan analyst Brian Tunick is projecting TJX's cash position to top $1 billion in 2008 due to better inventory management. TJX ended 2006 with $857 million in cash and is expected to end 2007 with $809 million, according to Tunick's estimates.

The problem with these big loss estimates from analysts and other observers is that they assume a brand hit and customer loss. In this Information Week story, "brand impairment" is cited as part of the reason why TJX could take a $4.5 billion hit due to its data breach.

So far, TJX's brand is just swell. Customers are still shopping--same store sales rose 6 percent in March. That sales tally doesn't exactly jive jibe with a Javelin Strategy & Research study that found three in four consumers will stop shopping a merchant if a data breach occurs. The disconnect: Consumers say they will stop shopping, but in reality they keep coming back if the price is right. Bottom line: If customers didn't abandon TJX at the height of its bad press they aren't leaving now.

Maybe these big loss estimates account for forgone market capitalization. The problem with that assumption: TJX shares are about where they were when the data breach went public.

Or maybe class action lawsuits will add up to big numbers. After all, TJX failed to secure its network for more than a year. "We are vigorously defending the litigation and claims asserted against us," says TJX.

So let's assume TJX gets its tail handed to it in court. TJX spends $50 million on lawyers and winds up settling for $200 million in a worst case scenario after many appeals. Naturally, only the lawyers get anything.

The subtotal thus far is roughly $300 million.

To be sure the consultant fees are going to be huge for TJX so let's factor in another $200 million.

That brings us to $500 million.

But unless postage on those "we're sorry to inform you" letters to customers add up to $500 million it's going to be tough to get to that magical $1 billion loss level everyone is talking about. 

Now this whole TJX episode makes some people cringe--they just can't believe that there's not severe pain inflicted when customer data is lost. Certainly George Ou wants to see TJX suffer a bit. But the initial outrage wears off quickly.

Overall, TJX will be seen as a victim--albeit a negligent one. And TJX customers don't get irate because most of them won't take a financial hit. After all, credit card companies eat fraudulent charges in most cases. Of course, identity theft is a risk, but that'll be a small number out of that 45.7 million. These estimates surrounding data breaches just don't add up to the reality.

Topic: Big Data

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • A gibe at your jive

    The word is jibe, unless you mean the data aren't dancing together 1940s style.
    jouissance
    • LOL nice catch

      I can't dance--or type
      Larry Dignan
      • Jive works

        Jive is a common term meaning to work together. eg: "They just don't jive (together)" It does come from the dance but is used in modern english to mean works well together - jive(s) or does not work well together - don't jive.

        Here's an example of the definitions:

        Noun
        Definition:
        1. dance lively dancing style: an uninhibited dance, often with a man swinging and throwing a woman, originally to jazz music and later to rock and roll
        2. jazz music: jazz or swing music, especially that of the 1930s and 1940s
        3. language jazz jargon: the terminology and slang used by jazz musicians ( slang )
        4. insincere talk: smooth talk that is often deceptive or insincere ( slang )

        verb (past and past participle jived, present participle jiv?ing, 3rd person present singular jives)
        Definition:
        1. intransitive verb dance jive: to engage in dancing the jive
        2. intransitive verb language talk jive: to use the terminology and slang of jazz musicians ( slang )
        3. transitive and intransitive verb flatter: to flatter or deceive somebody with smooth or insincere talk ( slang )
        I know when you're jiving me.

        adjective
        Definition:
        insincere: lacking sincerity or honesty ( slang )
        His comments are so jive!
        AU-man
  • Who carries the real costs?

    The issue is that TJX won't recompense people who have to clean their credit reports, check the statements for illegal charges etc., or who will not be protected by the credit card companies because the charged amount is too small.

    The time of private people is valueable, too - and this should finally be generally accepted. If one has to waste a minute of his or her spare time because this company screwed up, this minute should be compensated for. Who ever once became victim of identity theft knows what I am talking about. You may end up spending months getting things straighten out. So why not saying: Everybody whose credit card has been stolen because of negligence is entitled to a minimum of $100 plus expenses and legal fees. Ah, then we are already at 4.5b Dollars, without legal fees and expenses!

    Next: The credit card companies won't have any losses because they dump all costs and charges on the merchants.

    Since even a simple validation of a credit card already costs a small amount systematic checks by hackers for "fresh credit cards numbers" run into the 10,000s of numbers tested within a short period of time - the merchants have to pay for it. Who is going to recompensate the merchants all over the world having to deal with those fees, with cleaning up their databases from tons of useless data and having to triple check every order because once again there are 45 million fresh stolen cards on the market?

    TJX will say that they are soooo sorry - but will never stand up to their full responsability.
    mgfint
    • I hear you there

      But companies are never going to fully pay back customers unless they are required by law.
      Larry Dignan
      • Somebody has to pay...

        I've had letters informing me of stolen laptops containing my personal information, three separate incidents with major household name financial services providers. Every one of them offered a full year of credit monitoring services, no cost to me but you can bet your TJX stock the monitoring services are charging the company responsible for the loss. So that's commonly accepted practice, TJX will end up liable for at least that.

        Then there's the cost of replacing all the credit cards. Every bank that has to replace a card suffers a loss, they all have a choice of eating it or charging TJX. If they eat it they do their shareholders a disservice (potentially actionable), hence the bank class action suits against TJX.

        Finally, studies such as the Ponemon Institute study show that there is a real and quantifiable loss of customers and business after a major breach. The figures I've seen, substantiated by analysis of real incidents, indicate around $125 per customer record is what experience has been.

        It's nice to downplay the impact, but the cost isn't imaginary. And what if the estimates are overblown, why downplay the potential?

        It's tough enough to get companies to protect consumers, why minimize their motivation by understating the loss?
        bruce_mcculley9
  • Can you recommend a way for home wifi users to safely encrypt their data?

    I'm scared now because I used WEP on my home wireless network. This stuff is way too complicated!!!
    david.beede
    • Securing WiFi at home (and work)

      A couple of simple steps:

      1. Use WPA2 or WPA (in order of preference, but WPA is fine if that is all you have) to encrypt your connection. If your WiFI box is more than a couple of years old you will probably have to buy a new one, what the heck they are cheap (consider the alternative...). You may also have to buy a new WiFi card for your laptop/pc if they do not support WPA2/WPA. You may be able to get an upgrade from the manufacturer, so check their website before buying replacements.

      2. make sure you secure your WiFi box. Look at the manual, it will tell you how to login as Administrator. You will probably have to Login to turn on WPA2. As well, you want to change your administrator userid and password. The defaults are easy to find on the internet, allowing a hacker to control your router if you have not changed them. Make the new userid and password longer than 8 char (16-20) and "secure" (not a word found in dictionaries, and a mix of letters (upper & lower), numbers, and special chars). Write them down and keep it somewere safe, away from the computer (or encrypted on the computer).

      3. if you can control the broadcast power, turn it down to the minimum you need for good connections. No need to blast out a signal any farther out "into the wild" than you have to.


      <snip>
      George Ou, a columnist for ZDnet, has provided us with a fascinating rant against "The Six Dumbest Ways to Secure a Wireless LAN":

      ? MAC filtering.
      ? SSID hiding.
      ? LEAP authentication.
      ? Disabling DHCP.
      ? Interior antenna placement and low power.
      ? Limiting your use to 802.11a or Bluetooth.

      He argues persuasively that all of the above techniques are useless in securing your Wi-Fi system. He barely mentions WEP, reiterating that it can be cracked in minutes. For more details, see Ou's list of the dumbest ways. http://blogs.zdnet.com/Ou/index.php?p=43
      </snip>


      <snip>
      Robert Riebs, a technologist/educator in Lafayette, Calif., is often called upon to configure wireless access points (WAPs) for his clients and colleagues.

      "After this is set up, I advise them to get a plug-in timer that is programmable," Riebs writes. "Now I set the power for the WAP to run only during the times they prefer to produce a wireless signal. (Who needs a wireless network in the middle of their sleep, whenever that is?)"

      Timing the power to your Wi-Fi connection should only be an addition to, not a substitute for, good WPA or WPA2 security
      </snip>

      Here are some related links to articles that give more points and support for the points made above:

      http://www.pcworld.com/article/id,130330/article.html - How to secure your wireless network (a few other related tips)

      http://www.54g.org/pdf/Wireless-WP200-RDS.pdf - This one provides some more info, including how to use the "Secure Easy Setup" button on some of the newer boxes.

      http://support.microsoft.com/default.aspx?scid=kb;en-us;893357 - MS patch to support WPA2/WPA on XP SP2.

      http://www.eweek.com/article2/0,1759,1820921,00.asp - related to above link

      an article by George Ou, a blogger for ZDnet, entitled "Understanding the Updated WPA and WPA2 Standards." - http://blogs.zdnet.com/Ou/?p=67 -

      http://www.lanarchitect.net/Articles/Wireless/SecurityRating/ - Wireless LAN security guide Security for any organization large or small - George Ou

      Hope this answers your question adequately
      R.
      Ron_007
  • The TJX data breach

    Who/what is TJX anyway?
    wayworld1
    • TJX owns TJ Maxx and Marshalls

      TJX is the parent company.
      georgeou
  • credit card companies don't take the loss.

    Credit card companies do not take the loss for fraudulent purchases. They push the losses to the merchant. If a thief charges $100 at Sears (for instance) and you claim that it was a legitimate purchase then Sears gets charged back $100. Sears takes the loss, not Visa or Master Card.
    clareJ
  • Banks litigating against TJX

    One little news article from two weeks ago or so is that the banks are sueing TJX to recover costs of issuing new cards.

    Lets see, that's 45.7 million cards times about $25 to replace each card comes up to $1.14 billion.

    Banks don't like to lose that kind of money. TJX will be in for a rough ride on this class action suit!

    That suit alone has the potential of going over a $billion. No, while the brand won't be impaired much, the banks will take their pound of flesh and in this case, I hope the banks win.
    theoldman59