AOH :: ISNQ3989.HTM

Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion




Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion
Estimates Put T.J. Maxx Security Fiasco At $4.5 Billion



http://www.informationweek.com/news/showArticle.jhtml?articleID=199203277 

By Sharon Gaudin
InformationWeek
May 2, 2007

The security breach at TJX Companies Inc. could cost the company $100 
per lost record, or a total of $4.5 billion, according to the 
calculations of a database security company.

IPLocks, a compliance and database security company, is basing the 
estimate on the accumulated costs of fines, legal fees, notification 
expenses and brand impairment, according to Adrian Lane, the company's 
chief technology officer. He added that $100 per lost record is an 
average figure for major data breaches, but they calculated expenses 
particular to TJX and came out with the same figure.

The Ponemon Institute, a think tank focused on record privacy and data 
protection, expects the TJX breach costs to be even higher. They cite 
costs in the range of $182.00 per record, based on research from 
November 2006 of the cost of breaches incurred in 31 separate incidents. 
For TJX, this translates to $8.6 billion.

"The effectiveness of the people who stole the information is critical 
here," said Lane in an interview with InformationWeek. "They did it for 
a long time. They sold [the stolen information] out to multiple sources. 
Those credit card numbers are showing up in foreign countries. This is 
not just a U.S. security breach anymore."

Just last week, TJX was the subject of a class-action law suit seeking 
"tens of millions of dollars." The Massachusetts Bankers Association, 
which represents 207 financial institutions, announced that it is filing 
the suit in federal court in Boston. The news came less than a month 
after TJX disclosed in a Securities and Exchange Commission filing that 
more than 45 million credit and debit card numbers may have been stolen 
from its IT systems over an 18-month period.

The MBA also said in a release that the Connecticut Bankers Association, 
the Maine Association of Community Banks, and individual banks are 
joining as co-plaintiffs. Together, the three associations represent 
nearly 300 banks. Other banks can still join the suit.

TJX is the parent company of T.J. Maxx, Marshall's, HomeGoods, and other 
retailers. The security breach, which was announced in January, is the 
largest customer data breach on record.

"There are still so many unknowns with this breach that reliable 
assessments are truly impossible, but our estimate of more than $1 
billion is not unreasonable given the total number of affected credit 
cards and the long time period over which the breaches occurred," said 
Lane. "As an example, the ChoicePoint breach cost approximately $100 per 
record..."

The IPLocks and Ponemon estimates fall in line with figures that 
Forrester Research released earlier this month. The industry analyst 
firm calculated that the average security breach can cost a company 
between $90 and $305 per lost record. Forrester reported that analysts 
arrived at that number by surveying 28 companies that had some type of 
data breach.

Lane added that he hopes companies see these kinds of costs and learn a 
lesson from TJX's troubles.

"We keep seeing these breaches but we don't see the call to arms," he 
said. "They're not taking care with that data. If you're going to earn a 
profit on it, you need to protect it."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods