TJX, the parent company of UK discout clothing chain TK Maxx, has announced it took a $12 m (£6.04m) after-tax charge for the quarter ending 28 April in connection with the data breach it disclosed in January.
The charge of $0.03 per share included the costs involved in investigating and containing the intrusion, beefing up computer security, communicating with customers and various legal and other fees, the company said in its first quarter earnings statement.
The company expects to incur a similar charge of $0.02 to $0.03 per share in the second quarter, as well, TJX said. It also warned investors of even more potential costs down the road. "TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses," TJX said in its statement.
In January, the company announced that someone had broken into its payment systems and illegally accessed card data belonging to customers in the US, Canada, Puerto Rico, the UK and Ireland. In filings with the US Securities and Exchange Commission (SEC) in March, the company said 45.6m credit and debit card numbers were stolen over a period of more than 18 months by an unknown number of intruders.
That number eclipsed the 40m records compromised in a mid-2005 breach at CardSystems Solutions and made the TJX compromise the worst ever in terms of the loss of payment card data. Last week reports emerged that an secured wireless store network may have been the weak link in its security defences.
The $12m charge comes on top of the $5m in breach-related costs cited by TJX in the previous quarter. And that may just be the tip of the iceberg, said Khalid Kark, an analyst with Forrester Research, who released a report last month on all the factors that need to be included when totalling data breach costs.
Apart from direct expenses related to breach discovery, response and notification, companies also incur a variety of other costs such as those stemming from regulatory fines, lawsuits and additional security and audit requirements.
Last month a group of banks filed legal action against TJX, seeking tens of millions in restitution for the expenses involved in blocking and reissuing thousands of debit cards following the breach.
There are also less tangible costs such as lost employee productivity and opportunity costs that need to be factored in, Kark said. The expenses disclosed by TJX could be "just a fraction" of what the breach could eventually end up costing the company.
"This is something that is going to play out over years," he said.