TJX Demonstrates Data Protection Doesn’t Matter

According to TJX’s official press releases and an SEC filing, they first become aware of the presence of “unauthorized software” on their computer systems on December 18 2006 and they reported it for the first time to Federal authorities on December 22.

Is TJX telling the truth? Remember the arrests in Florida of the criminal gang that were using stolen TJX credit card information to manufacture fake credit cards and purchase fresh gift cards? Well, Florida prosecutors filed documents in court regarding their investigation in November 2006. They knew the stolen credit cards had come from TJX, and they cited documents provided by TJX that indicated they were stolen in May of 2006. Pretty strange that TJX now denies that.

While TJX expertly handles the release of information about their security failings other retailers must operate in ignorance and most probably fall victim to similar attacks. And what is the impact to TJX from this record breaking, mishandled incident? I’ll tell you. Same store sales for this past January were up three percent over last January. While other retailers are suffering TJX is thriving. TJX’s stock apparently took a short term hit as it fell from $25 per share to $22 last January but now sits at $30.

Lessons Learned

First, esoteric matters like IT security really do not matter to the overall performance of a retailer. Customers, employees, stakeholders, apparently don’t care. Second, no matter what the security industry says, you should not justify security spending based on potential impact of a data breach on your stock price. That theory is completely disproved by TJX.

But let me point out that TJX has attributed $200 million in direct costs to this breach. It is easy to surmise this is bigger than just about anyone’s security budget. In TJX’s case some well known security practices and a little security spending would have avoided this whole incident.