From TJX to Target: Protect or Pay Up!

By Elevate posted 03-28-2014 12:00



As many would have rightly guessed, Target has been sued due to the significant data breach affecting its customers in 2013. According to this Reuters article, “Trustmark National Bank and Green Bank NA accused the defendants [,Target Corp and Trustwave Holdings Inc, which provides credit card security services,] of failing to properly secure customer data, enabling the theft of about 40 million payment card records plus 70 million other records.”


This reminds me of the prominent TJX (operator of TJ Maxx stores) data breach eight years ago that affected ~94M records, making it the largest single data breach to date. You can learn more about it on the Hacks of Ages timeline that Erin O’Malley so eloquently described recently. Juniper will add the Target breach to it.


According to the Ponemon Institute 2013 Cost of Data Breach Study: Global Analysis report, German and U.S. companies had the most costly data breaches ($199 and $188 per record, respectively). For U.S. retailer TJX, the financial losses were significant. The company agreed to pay $9.75 million to 41 states. Of this, per the settlement, $5.5 million was to be dedicated to data protection and consumer protection efforts by the states, and $1.75 million was to aid in reimbursement of the costs and fees of the investigation. Further, $2.5 million of the settlement was to be used to fund a Data Security Trust Fund to be used by State Attorneys General to advance enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.


Let’s see how Target financially fares with regards to the settlement. In the meanwhile, I hope that both these and other enterprises will take effective, preventative measures to detect and stop such attacks early. If they don’t protect their customers’ data, certainly, sooner or later, they will have to pay the price. And, as my esteemed colleague, John Pennington, warned loudly and clearly in his blog, which summarizes the findings of a compelling study of the cybercriminal world, “Take action or be hacked!”




03-31-2014 16:10

Very good point Jay! Indeed- reputation costs surpass the fines and lawsuit costs and often the damage done is irreversible.

03-28-2014 17:18

Great blog post, Seema, as usual! But, the fines and lawsuits are only really a small fraction of the cost paid by well-known public companies - particularly retailers - when it comes to data breaches and other attacks from which sensitive customer data is stolen or lost. The reputation cost can be a much greater hit to their bottom line, is much more difficult to quantify, and can have a much longer, lingering affect than industry or government fines and action, or lawsuits. Also, in some cases, their may be criminal liability to be metered out against corporate execs as well! All of this makes protecting sensitive customer (or patient) data more important - and critical to the corporate bottom line - than ever!