TJX’s breach-related bill could surpass $1 billion over five years — including costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities — estimates Forrester Research, a market and technology research firm in Cambridge, Mass. The security upgrade alone could cost $100 million, says Jon Olstik, a senior analyst for Enterprise Strategy Group, a Milford, Mass., consulting firm, based on his conversations with industry experts and people familiar with the work being done.

Uh, wow. That’s quite a “security upgrade”.

Frankly, I find this to be quite a sloppily written ambiguous and confusing article. For example the author describes a small Louisiana bank (emphasis added):

The problems first surfaced at credit-card issuers such as Fidelity Homestead, the Louisiana savings bank.

Later in the article we find this:

…losses for the small bank have climbed from about $7,000 to about $23,000. “The fraud cuts right into our profits,” says Fidelity’s Mr. Fahr. He says the credit union has asked Visa to reimburse it for the losses, but the credit-card association so far hasn’t done so. Visa declined to comment.

Is it a bank or credit union? Is anybody checking facts in this article? Consistency? Bueller? Bueller? Bueller?

How about this one:

TJX’s breach-related bill could surpass $1 billion over five years — including costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities — estimates Forrester Research, a market and technology research firm in Cambridge, Mass.

Now there’s a headline to latch onto. The Billion Dollar Incident (not including lawsuits)! One year (or so) worth of profits up in smoke (over five years, of course). At least the author had the decency to go to Forrester for a number that someone pulled out of their elbow.

Now thanks to the integrity of Generally Accepted Accounting Principles, we’ll never know the real dollar cost. It can be amortized, monetized and disguised in various interesting ways. Over-inflated, even, if it serves the purposes of TJX’s CFO and how they state earnings. But I have a hard time believing it’s going to be a thousand million dollars (not including lawsuits) in “consultants, security upgrades, attorney fees, and added marketing”. And I realize that there are plenty of $500 an hour attorney fees in that $1 billion dollar number, but if it costs TJX more than 1/3 of that number on consultants and security upgrades, then wow, I don’t know quite what to say.

Funny thing is, in the long term it might be good for TJX. Let’s say that $1 billion dollar number seems “acceptable” to stockholders and the board. Chances are, they’ll run out of security stuff to spend money on (lots of shelfware, no doubt) and eventually the majority of what’s left will become a marketing expense, a brand new campaign to bring new customers and increase sales - justified by the incompetence of their IT department (honestly, WEP in the stores, what’s up with that?).

Maybe our counterparts in corporate marketing are actually rooting for our failures? I can see it now: “We need a shiny new marketing campaign, can we engineer a minor incident that will convince the people upstairs that we need to “reassure” the public?”

Posted on May 5