The cost of the TJX data breach could be as high as $1.6 billion, a figure that dwarfs the official costs mooted by the US retailer, a security vendor has claimed.
The cost of the data breach at TJX, the parent company of UK discount retailer TK Maxx, could be as high as $1.6bn (£800m) - far higher than the retailer's own estimates, a security vendor has claimed.
Details of 45.6m payment cards were stolen from TJX in the world's biggest ever data theft. The stolen information included card details for an unknown number of UK customers taken from the retailer's computer systems in Watford, Hertfordshire.
But the estimate from security vendor Protegrity puts the bill for cleaning up the effects of the breach in the billions, a figure it has backed up with detailed cost calculations.
TJX recently took a $12m (£6m) after-tax charge on its accounts for the first quarter of 2007, a sum widely seen as underplaying the financial consequences of the data theft.
But according to Protegrity, the real costs will be racked up in a blizzard of simple issues that TJX will not be able to avoid, including the biggest of them all, contacting and helping customers. It assumes that each customer record will cost TJX $5 to service, and that 20% of those whose data was breached will request a credit watch. The result is a bill of $1.242bn (£621m).
Smaller costs include legal advice ($12m a year), internal investigations ($8.1m), public relations ($3.4m). More contentiously, Protegrity calculates that if 10% of the records are compromised by criminals, at an average cost of $50 per record, the charge back to TJX would be $228m (£114m) in direct costs. The probability of an exploit on any one record is said to be about one in three.
Surprisingly, official action against the company in the form of regulatory fines makes up only a trifling $1.5m (£750,000) of the total estimated hit.
The theft of customer data from the TK Maxx stores and other outlets run by TJX, is estimated to be the biggest such heist ever recorded. Attackers are believed to have broken into the company’s databases through unprotected wireless access points over a period of some months in 2006.