TJX has announced it took a $12 million (£6.04m) after-tax charge for the quarter ending 28 April in connection with the massive data breach it disclosed in January.
The charge of $0.03 per share included the costs involved in investigating and containing the intrusion, beefing up computer security, communicating with customers and various legal and other fees, the company said in its first quarter earnings statement.
The company expects to incur a similar charge of $0.02 to $0.03 per share in the second quarter, as well, TJX said. It also warned investors of even more potential costs down the road. "TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses," TJX said in its statement.
The US-based TJX retail group owns several retail brands, including TK Maxx in the UK and Marshalls and Bob's Stores in the US.
In January, the company announced that someone had broken into its payment systems and illegally accessed card data belonging to customers in the US, Canada, Puerto Rico, the UK and Ireland. In filings with the US Securities and Exchange Commission (SEC) in March, the company said 45.6 million credit and debit card numbers were stolen over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions and made the TJX compromise the worst ever in terms of the loss of payment card data. Last week, reports emerged that an secured wireless store network may have been the weak link in its security defences.
The $12 million charge comes on top of the $5 million in breach-related costs cited by TJX in the previous quarter. And that may just be the tip of the iceberg, said Khalid Kark, an analyst with Forrester Research, who released a report last month on all the factors that need to be included when totalling data breach costs.
Apart from direct expenses related to breach discovery, response and notification, companies also incur a variety of other costs such as those stemming from regulatory fines, lawsuits and additional security and audit requirements. Several lawsuits have already been filed against TJX, including one by the Massachusetts Bankers Association seeking tens of millions in restitution for banks that were forced to block and reissue thousands of debit cards following the breach.
There are also somewhat less tangible costs such as lost employee productivity and opportunity costs that need to be factored in, Kark said. The expenses disclosed by TJX could be "just a fraction" of what the breach could eventually end up costing the company.
"This is something that is going to play out over years," he said.