One year later: Five takeaways from the TJX breach

One year ago last Thursday, The TJX Companies disclosed what has turned out to be the largest information security breach involving credit and debit card data -- thus far, at least.

The data compromise began in mid-2005, with system intrusions at two Marshalls stores in Miami via poorly protected wireless LANs. The intruders who broke into TJX's payment systems remained undetected for 18 months, during which time they downloaded a total of 80GB of cardholder data.

TJX eventually said that 45.6 million card numbers belonging to customers in multiple countries were stolen from its systems. Even that number may be far too low: A group of banks that is suing the retailer claimed in an October court filing that information about 94 million cards was exposed during the serial intrusions.

The sheer size of the data theft puts TJX in a league of its own among companies hit by such incidents, and the breach has made it something of a poster child for sloppy data security practices among retailers. In addition, the breach highlighted several familiar issues and some not-so-familiar ones.

Here, on the one-year anniversary of the breach becoming known, are five takeways for security managers:

Breach disclosures don't always affect revenue or stock prices ...

Despite being the biggest, costliest and perhaps most written-about breach ever, customer and investor confidence in TJX has remained largely unshaken. TJX's stock was worth about US$30 per share when the breach was disclosed, and its closing price today was just over $29. Meanwhile, the retailer said this month that in the 48-week period that ended Jan. 5, its consolidated comparable-store sales increased 4% from the year-earlier level.

Clearly, TJX's customers weren't as concerned about the breach as many observers had expected they would be. Much of that no doubt has to do with the fact that consumers realize they themselves won't have to pay for any fraud that might result from payment card compromises, said Avivah Litan, an analyst at Gartner Inc.

... but they can be costly

TJX has said that in the 12 months since the breach was disclosed, it has spent or set aside about US$250 million in breach-related costs. That includes the costs associated with fixing the security flaws that led to the breach, as well as dealing with all of the claims, lawsuits and fines that followed the breach.

For instance, settlements reached by TJX include offers of free credit-monitoring services for three years to consumers whose driver's license numbers were exposed in the breach, plus cash reimbursements, vouchers and a promised three-day customer appreciation event this year, during which the company plans to offer 15% discounts on all goods.

"I think a lot of companies are seeing how costly these breaches can get," said Forrester Research analyst Khalid Kark. As a result, there's a lot more awareness in the executive suite about the need for security controls, Kark said. He previously estimated that the breach at TJX could end up costing the company US$1 billion over the next few years.

PCI remains a work in progress

The breach brought to light the fact that many retailers, including top-tier ones like TJX, had not yet fully implemented the set of security controls mandated by the major credit card companies under the Payment Card Industry Data Security Standard, or PCI. The rules took effect in June 2005, and required merchants -- especially ones such as TJX that process a high volume of card transactions annually -- to implement 12 broad security controls for protecting customer data.