Consumers don't stay angry in the face of a good deal.
That's a lesson emerging from the data breach at TJX Cos., the Framingham retailer that a year ago discovered an intrusion into its computer security that compromised as many as 100 million payment-card accounts. While the episode led to lawsuits from banks and many complaints, sales at TJX stores such as TJ Maxx and Marshalls have risen steadily this year.
Customers like Florida businesswoman Hanna Lipman help explain why. In April, Visa canceled one of Lipman's credit cards, saying it was compromised in the breach. By then, she had stopped going to the TJ Maxx store in Boca Raton.
But now, Lipman said, she is back to spending about $100 a month at the store, on pocketbooks and other items. She expects TJX will be extra-cautious about protecting her information.
"They got nailed from so many banks, I have to believe whatever can be done they have done," Lipman said.
Another customer whose card was canceled, Phil Dunkelberger, said he still shops at a TJ Maxx store in California, but pays by cash or check to reduce his risk of data theft. "I think they're much safer than other vendors who haven't had a breach and gone through the pain," he said.
Dunkelberger is chief executive of PGP Corp., a Palo Alto, Calif., security-software company that has seen its sales to retailers triple in recent years in the face of growing threats from computer hackers. PGP sponsors an annual study by the Ponemon Institute, a security consulting group. This year's study found the average cost of a data breach was $197 per compromised record, up 8 percent from 2006 and 43 percent from 2005. Most of the $197 reflects lost business from disappointed customers, Ponemon's study found, which it said demonstrates that consumers still care about the issue as total losses from breaches escalate.
To date, however, TJX seems to have escaped the wrath of customers, helping it outpace competitors as the Christmas shopping season nears its end. So far the company has taken charges totaling $256 million to pay for computer work and the costs of settling actions that include a class-action suit brought on behalf of customers. If the settlement is approved by a judge, it would entitle many to cash vouchers and other benefits. Also, on Tuesday TJX agreed to settle a suit brought by New England banks over the costs of the breach.
While some technology analysts had predicted lost business could eventually drive TJX's total costs related to the security breach to more than $1 billion, that hasn't dampened net sales, which rose to $13.2 billion for the nine months ended Oct. 27, up from $12.3 billion for the same period a year earlier, according to the company. Same-store sales rose 3 percent in the third quarter, and rose 7 percent last month compared to November of 2006, TJX said.
TJX executives have declined numerous interview requests. Describing the proposed consumer-lawsuit settlement on Sept. 21, chief executive Carol Meyrowitz said in a statement that TJX regrets any inconveniences to customers.
Executives who follow the payment-processing industry say TJX's continued sales success suggests some customers may be willing to tolerate security compromises as a price of doing business. They seem to be counting on guarantees against fraud losses from card issuers, and that negative publicity about breaches will improve overall credit card security.
But that's only the case for retailers and other merchants. Financial and medical institutions that lose control over personal data can expect more severe reactions because customers have higher expectations, said Henry Helgeson, president of Merchant Warehouse, a Boston payments-processing company. He cited the example of CardSystems Solutions, which was essentially forced into a sale in 2005 after a data breach that led Visa and MasterCard to restrict their dealings with the Atlanta company.
"Although it may not say it anywhere in the rules, financial institutions and processors are held to a higher standard," Helgeson said.
To be sure, not all TJX's shoppers are back. Linda Webster, a defense-industry manager in Maryland, said she now spends less than $10 a month at her local TJ Maxx store, instead of the several hundred dollars monthly before the breach. In an interview, Webster said the company should have notified shoppers individually of the breach and apologized for the inconvenience of having her debit card canceled. "They're a big corporation, and it doesn't seem to me that they took the right precautions," she said. "I think they're in victim mode. They have should have done more for their customers and they did nothing."
Other customers seem willing to overlook the breach, even some who were initially angry with TJX. Richard Walega, a New Bedford city employee, said he grew frustrated in January when TJX employees asked him to put in writing a tip he tried to provide them after $6,700 in unknown charges appeared on his Visa bill. In a recent interview, however, Walega said his wife still spends several hundred dollars a month at a Marshalls, mostly on clothing for their grandchildren.
"I haven't put them out of the picture," he said.
Ross Kerber can be reached at email@example.com.