Consumers And Wall Street Yawn at the Biggest Breach Yet

Off-price retailer TJX Cos. Inc. might hold the dubious honor of being the merchant where the nation's worst breach of payment card data occurred, but you'd never know it by looking at the company's latest financials. Revenue and profits are up, and executives made only passing reference to the breach this morning during TJX's quarterly earnings conference call. The scant attention to the massive intrusion that potentially compromised up to 94 million credit and debit cards can be explained in part by the fact that TJX reported no new breach-related costs in the earnings report it issued today for its fiscal 2008 third quarter ended Oct. 27. The operator of the T.J. Maxx, Marshalls, Home Goods, and other chains had taken pre-tax charges totaling $215.9 million, $130 million after taxes, during the preceding two quarters for legal costs, improved computer security, and other breach-related expenses. Instead, TJX reported net income of $245.5 million, up 8% from $230.6 million in the year-earlier quarter. Although warm weather kept consumers from buying cold-weather clothing for much of the quarter, sales still rose 6% to $4.74 billion from $4.47 billion in fiscal 2007's third quarter. Sales at comparable stores, those open at least a year, rose more than 3%, and TJX upped its profit guidance for the fiscal year. Investors reacted accordingly, pushing Framingham, Mass.-based TJX's stock price up about 4% in mid-day trading over Monday's close. Not one of the more than 10 analysts who quizzed TJX president and chief executive Carol M. Meyrowitz and other top executives at the quarterly call asked about the breach. Instead, many prefaced their questions with praise for a job well done. “You guys are really knocking the cover off the ball domestically,” said one. The apparent indifference to the breach doesn't surprise Avivah Litan, a technology analyst at Stamford, Conn.-based Gartner Inc. who tracks payment security issues. In Wall Street's view, “the breach is irrelevant, as long as they can control costs,” she says. The fact that consumers haven't punished TJX by shopping elsewhere also doesn't surprise Litan. Gartner estimates that actual fraud has been linked to only a tiny fraction of the cards compromised. TJX says most of the card numbers it stored were expired. While a number of financial institutions reissued potentially compromised cards as a precaution, consumers know their credit or debit card issuers would cover any fraudulent transactions, she says. “Only about 2% of consumers were affected and none of them lost any money, so why shouldn't they go back to T.J. Maxx?” she says. Now TJX is getting deeper into the credit card business beyond being a mere acceptor of plastic. The company recently launched private-label and cobranded MasterCard programs with JPMorgan Chase & Co. as the issuer. In response to an analyst's question, Meyrowitz wouldn't say much about the program other than that the initial “soft launch” has gone well. She said she might have more details after the fiscal year ends. TJX undoubtedly will have breach-related news in the future. Although it recently settled consumer lawsuits arising from the breach (Digital Transactions News, Sept. 24), it still faces lawsuits from financial institutions seeking to recoup their reissuance costs as well as investigations by public authorities. Recent filings in the financial-institution cases upped the estimate of potentially affected cards to 94 million from the company's figure of 45.7 million (Digital Transactions News, Oct. 25). Visa Inc. has fined TJX's U.S. merchant acquirer, Fifth Third Processing Solutions, $880,000 for breach-related violations, according to one filing. The companies aren't talking, but acquirers usually pass network fines on to the merchant involved. Investigators still don't know who committed the breach, but they suspect hackers accessed TJX's computer system through wireless systems at two Miami area stores. Using those connections, they penetrated computer systems at the company's headquarters that improperly stored card data.