TJX Analysis: Court Case 'Would Not Have Been Pretty'

The TJX Companies, Inc. (NYSE: TJX) may have agreed to pay more than $40 million in a recently-announced settlement with Visa, but the collateral damage might have been significantly worse had the case gone to trial and revealed details of the security/compliance conditions that allowed customer data to be breached. (See related story: TJX, Visa Agree to $40.9 Million Payout for Data Breach).

According to David Taylor, President of the PCI Security Vendor Alliance, had this case been heard in court, then revelations about TJX's security practices "would not have been pretty."

"There would have been a lot of things that would have come out that they wouldn't want revealed, including how they handled or mishandled wireless security upgrades," Taylor says.

Taylor, an information security consultant, spends most of his time working with retailers on PCI Data Security Standards compliance. "TJX's wireless security was where the criminals got into its systems," he adds. But wireless is the 'tip of the iceberg' when it comes to what other security problems exist in most retail environments, including point of sale, online sales and in call centers, he notes.

He concludes that it was in the company's best interest to settle, rather than let the public know what goes on in those other areas. "To settle and avoid questions about the company's overall compliance is an easy choice for most retailers," Taylor says.

The proposed payout is a result of news announced earlier this year, when Massachusetts-based retailer TJX, the parent of discount chains including TJ Maxx and Marshalls, revealed that more than 46 million credit and debit card accounts were hacked in the data breach, going back as far as 2003. Later, court documents revealed that number may be more than 96 million customers affected. 'Off the Hook'
With the pending settlement in place, awaiting an 80 percent acceptance from the affected issuing institutions later this month, Aite Group Payments Analyst Adil Moussa says that Visa allowed TJX "off the hook" when it came to what the retailer could have been forced to pay.

"With the $40 million settlement, Visa is cracking the whip, but doesn't want to anger a big merchant," says Moussa. As part of the settlement, Visa also reduced the fines imposed for PCI-noncompliance on the retailer.

The banks that sued TJX (a total of 19 lawsuits were filed against the retailer because of the breach) didn't necessarily want to sue the retailer. "But as an issuer, that's what these banks were forced to do, because of the huge number of cards that were involved in the breach," Moussa says. Acquiring banks that handle TJX transactions, such as Fifth Third Bank, were "slapped pretty hard with an $800,000 fine." These fines were imposed because the acquiring banks are responsible to ensure that merchants are compliant, Moussa explains.

The message to acquiring banks and merchants is "PCI's Data Security Standard is not something to be taken lightly." TJX Timeline
Important dates to bear in mind as the TJX matter unfolds:

  • December 11 -- First District Federal Court, Boston considers important pending motions related to class certification in Bankers Class Action Suit.
  • December 19 -- Date when 80% of the card issuers must accept the alternative recovery offer the alternative recovery offer.
  • December 27 -- If card issuers accept the terms, this is when payment will be made.
Total Bill may Top $500 Million
Which is not to say that Dec. 27 is when this saga will end.

The estimated cost of the data breach when the dust settles and the final tallies are in may still top $500 million, says George Tubin, Financial Information Security Research Director at Tower Group. "This is despite the fact only credit card numbers were stolen, and the liability to the consumer is not the same as if they had lost the golden keys of social security number and mother's maiden name," Tubin says.

While there has been little or no impact to TJX's sales because of the breach, Tubin notes that it will be hard to determine what the retailer's sales and stock price would have been had the breach not happened. The future impact from the breach on the issuing banks involved in this breach has yet to seen, especially in terms of consumers closing accounts and cancelling bank credit cards, Tubin says.

That financial institutions actually sued TJX for this breach sends a very strong message to companies that they cannot be callous with data and have to be much more protective when it comes to protecting sensitive customer data, says Tubin, who predicts the cost of data breaches will be significantly higher because of the TJX case. (See related story: Data Breach Costs Rising).

And there are still cases pending, "Visa is only one credit card company, there are other groups who are lined up to go after them," Tubin says. Retailers Forewarned
The PCI standards and move to more secure transactions has many backers in the retail industry, including the five major credit card companies. "A lot of money has been sunk into it from many different sides to ensure merchants and institutions handle data safely," Moussa says. The PCI Standards Council forewarned everyone about the new standards to the point where "even the acquiring banks gave money to merchants to help with compliance efforts."

However, for retailers, PCI compliance fights a losing battle. "It isn't really high on their priority list. They're retailers, and they're more focused on selling, not security," he says. As more retailers become compliant with PCI security standards, Moussa sees an evolution occurring.

"As soon as everyone is compliant, the crooks are going to find new ways to get in and steal data by exploiting a new weakness. There is no silver bullet."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network