TJX Demonstrates Data Protection Doesn’t Matter

As much as security vendors and practitioners would like it to be true there is no truth in the assertion that failed security leads to a drop in a company’s stock value. Studies abound that show a correlation of perhaps four to eight percent declines with major data breaches but it is hard to stick to that argument in light of TJX’s spectacular failure to secure their operations and yet suffer no consequences.

Remember Egghead Software? Now a text book case for how not to execute a retail sales channel, Egghead was the famous brick and mortar computer store that attempted to jump on the Internet bandwagon by dumping the physical stores and going online only. The company was publicly traded and its stock was starting to benefit from the bubble hype in 1999 when they disclosed a major breach in December 2000.

They subsequently claimed the breach was not successful and no customer data was exposed but apparently the damage had been done and the company experienced a tailspin that led to bankruptcy and eventual sale to Amazon for $6.1 million. It turns out that most analysts attribute Egghead’s demise to mismanagement, not the security breach. But ever since the security industry has attempted to make a correlation between bad security practices and company performance.

TJX are now responsible for the largest loss of credit card data in history. They disclosed a year ago January that over 45 million credit card records had been stolen. Subsequent findings point to an even large loss of over 90 million credit cards. In Securities and Exchange Commission (SEC) filings they state they have set aside over $200 million to account for potential expenses and liabilities associated with the breach. While that is a huge amount of money it is nothing compared to some of the calculations you could do to project future liabilities.

What, for instance, would be the cost of replacing every one of 90 million credit cards? At $80 per account that number could be $7.2 billion. Or, what if various States Attorney Generals held TJX accountable for the actual losses the banks incur for covering all of these credit cards?

Moment of Truth?

On top of all of this TJX is violating all of supposed best practices in data breach disclosure. Most advice you will hear from PR pros says that you should be completely forthcoming in what you say about your breach. You should come clean right away, explain to your stakeholders exactly what happened and how it can never happen again thanks to new processes and controls you are instituting.

Has that happened at TJX? No. TJX, is re-writing the book on how to handle a major breach. In that book the instructions are: admit no fault, trickle information out piecemeal, create confusion over facts, and never reveal the hacker’s techniques.

There have been several speculative articles about how the breach occurred but never explicit descriptions from TJX. One article in the Wall Street Journal claims that the thieves broke in via an insecure wireless access point in a Marhsall’s store in St. Paul, Minnesota. Another less circulated story is that thieves broke into multiple TJ Maxx stores via kiosks that were kept in the back of the store for accepting job applications.

I believe there were multiple incidents over a period of at least four years and that TJX had such bad security procedures that it was open season on their data by many hackers.