Lessons from TJX Security Breach
By Tom Ryan
Just a little over a year ago, The TJX Cos. disclosed what became the largest information security breach involving credit and debit card data. The incident left many wondering about the financial cost of the intrusion, its affect on consumers, and the chances that it could happen again.
Marking the anniversary, ITBusiness.ca came up with five takeaways from the breach’s fallout:
1) Breach disclosures don’t always affect revenue or stock price: Despite the costs and bad publicity, TJX’s stock trades at virtually the same price as before the breach. Sales also remain healthy – comps ahead 4 percent in the eleven months through Jan 5 – despite concerns that consumers would be wary about shopping the off-pricer. Avivah Litan, an analyst at Gartner Inc., believes consumers realized they themselves won’t have to pay for any fraud that might result from payment card compromises.
2) Breaches can be costly: TJX has so far set aside about $250 million in breach-related costs, and Forrester Research estimates that could rise to $1 billion over the next few years. So far, costs have involved fixing security flaws; dealing with claims, lawsuits and fines; and offering free credit-card monitoring services, cash reimbursements, and other discounts to customers affected by the breach.
3) PCI remains a work in progress: The breach brought to light the fact that many retailers had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI. The rules took effect in June 2005, and required merchants — especially ones such as TJX that process a high volume of card transactions annually — to implement 12 broad security controls for protecting customer data. Court documents allege that TJX wasn’t compliant with nine of them when the intrusions took place. And TJX was by no means alone.
4) The card payment process has issues: In several states, credit unions and smaller banks have lobbied the legislatures to pass new laws requiring retailers to reimburse them for the costs involved in notifying customers of breaches and reissuing cards. Retailers have argued that the commissions they pay to card companies on each transaction are supposed to cover fraud-related costs. They also said that the only reason they store payment card data is because they’re required to by the credit card companies. In October, the NRF asked Visa and the other card companies to drop that requirement.
5) The bad guys remain hard to catch: Although some users of card numbers stolen in the breach have been arrested, the hackers haven’t been caught, as is typical in most breaches. “The crooks are still at it,” Mr. Litan said. “They probably will strike again. They’re laughing all the way to the bank.”
Discussion Question: What do you think the retail industry has or should have learned from the TJX security breach?