- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
April 12, 2007 | Comments: (0)
TJX breach could cost company $1B
How much will it cost to clean up the mess caused by TJX Company's loss of financial records on 45 million customers? What would you think if I told you it would cost, in the words of Dr. Evil, $1 million dollars?!!!!? Not too bad? *Ahem* Sorry. How about $1 billion dollars?!!?! Now that's more like it! And that's the number that security industry analysts are bandying about in today's Boston Globe. How'd they get to the $1B figure? Well, it's all pretty fishy, but the formula looks something like this: (cost_per_lost_record x (number_of_lost_records) + cost_of_IT_cleanup = total_cost_of_breach.
Not surprisingly, there are a lot of caveats with at least one expert, Larry Ponemon of the Ponemon Institute, putting the figure in the hundreds of millions of dollars, and a Forrester analyst, Khalid Kark, putting it as high as $1.35 billion.
Forrester's number comes from that firm's estimate of a cost per lost record of $90 and an estimate that around 15 million of the 45 million stolen credit records were for unexpired debit and credit cards.
Curiously, Ponemon estimates that the cost to replace stolen records is a lot higher -- $182 per card, but that no company who has experienced a data loss has spent more than $22 million to recover from it. Given that other companies have experienced similar sized breaches -- ChoicePoint, CardSystems -- it's hard to see how $22 million could be the ceiling, but that's what the article says.
Other cleanup costs -- computer forensics and new consulting fees, better intrusion detection products....a database firewall anyone -- are just the cost of doing business and would be no more or less had a breach not occurred (translation: "they need this stuff anyway, so who cares why they're buying it?")
Besides, the costs to the company would be amortized over one or two years -- or more, depending on the outcome of lawsuits filed against TJX and the aftermath of the breach (in other words, how many consumers are victims of ID theft that can be traced back to TJX).
So, if security analysts are bearish on TJX, Wall Street certainly isn't. As the Globe story points out, the company's stock is trading within five or ten percent of where it was the day before news of the leak was disclosed.
Add it all up, and you've got to ask: "Is there really a price to pay for violating your customers' privacy?"
Posted by Paul Roberts on April 12, 2007 08:29 AM
RATE THIS ARTICLE:
-
- COMMENTS
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
ADDITIONAL RESOURCES
- Application Grid: Oracle's Vision for Next-Generation Application Servers and Infrastructure
- Do you have the power to resolve technical issues with one call?
- Take control of your content- leverage Microsoft SharePoint
- Document Management 2.0 - Web-based Collaboration and the Road to Compliance
- Content Management Integration - The Triumph of the foot soldier
- Class of Service: Myths and Misconceptions
