TJX Cos. said its costs from the largest computer data breach in corporate history, in which thieves stole more than 45 million customer credit and debit card numbers, have ballooned to $256 million.
The figure is more than 10 times the roughly $25 million the Framingham retailer estimated just three months ago, though at the time it cautioned it didn't know the full extent of its exposure from the breach.
The costs include fixing the company's computer system and dealing with lawsuits, investigations, and other claims stemming from the breach, which lasted more than a year before the company discovered the problem in December.
TJX disclosed the higher costs in its second-quarter earnings report, released yesterday. For that quarter alone, costs related to the data theft lowered TJX's profit by $118 million, or 25 cents a share, after accounting for taxes. Yet the company noted that strong sales during the same period suggested customers were not scared away from its stores, which include TJ Maxx and Marshalls. After the disclosure yesterday, shares fell 8 cents to close at $27.58 on the New York Stock Exchange, 8 percent below their level the day before TJX disclosed the security breach in January.
In a statement yesterday, TJX chief executive Carol Meyrowitz said that after months of study, TJX now has a better sense of its exposure. "We have continued to learn more about the computer intrusion(s) and are now able to estimate the company's liability. Over the past months, we have worked diligently to further strengthen the security of our computer systems," she said.
Previously this year, TJX has described how it believes hackers who have not been identified placed software on the company's network to capture data from at least 45.7 million customer credit and debit cards. Some numbers were used to make fake credit cards, which law enforcement authorities said were used to buy millions of dollars in expensive electronics from Wal-Mart and other retailers in Florida and elsewhere.
TJX spokeswoman Sherry Lang said the company believes it has identified the extent of its liability from the breach. In addition to the previously disclosed $25 million or so, TJX said it would take a charge of $196 million, or $118 million after taxes, for the second quarter that ended July 28, and may have to take a $35 million pretax charge in its next fiscal year, which ends January 2009.
But some security specialists questioned whether TJX's expenses will be limited to anywhere near $256 million. They said its costs could wind up being much higher depending on the outcome of lawsuits and from government investigations into the breach, which could result in fines or other sanctions.
"I don't think it's over yet," said Avivah Litan, security analyst for Gartner Inc. Investors, she said, have previously been "pretty cavalier" about the breach because TJX's sales still rose. "The moral of the story was that you could suffer a big data breach and survive. But a breach can go right to your bottom line," Litan said.
Several analysts have estimated TJX's costs could run as high as $1 billion, including legal settlements and lost sales. Forrester Research analyst Khalid Kark yesterday said that he expects the final bill to TJX to top $500 million and possibly approach $1 billion.
Other companies that lose credit and debit card data typically see only 30 percent of related expenses in the year following their losses, he said, and many litigation costs come due years after the fact.
"I would emphasize that this will be a multiyear thing," he said.
Lang said TJX's lost sales can't be quantified but noted that the company's sales of $4.3 billion in the second quarter were up 9 percent from the same period a year ago. Asked if the company's insurance coverage is sufficient to offset TJX's breach-related expenses, Lang said only that "we're still assessing that."
The Secret Service and other law enforcement agencies are investigating the data theft at TJX but have yet to charge anyone. However, in three cases in Florida, federal and state prosecutors have won guilty pleas from six individuals who admitted to using the phony credit cards with numbers stolen from TJX to buy goods illegally, and from five others in connection with the production of phony cards.
Meanwhile, TJX remains locked in dispute with many credit and debit card issuers, some of whom are still replacing customers' cards with new numbers eight months after the theft was disclosed.
In a lawsuit pending in US District Court in Boston, the Massachusetts Bankers Association and trade groups from other states seek unspecified recovery for damages they describe as being "in the tens of millions" of dollars for the costs related to replacing compromised cards. TJX said the claims are unfounded and is seeking to have them dismissed.
Financially, TJX's results were positive otherwise, with sales for the three months ended July 28 rising 9 percent, and sales at stores open at least a year -- key measure for retailers -- up 5 percent.
Net income fell to $59 million from $138 million in the year-ago period, however, chiefly because of charges related to the data theft.
Ross Kerber can be reached at email@example.com.