TJX Data Theft Proving Expensive for Discount Retailer

TJX, the owner of a number of off-price retail brands, including T.J. Maxx, Marshalls and A.J Wright stores, disclosed a data breach in 2007, where 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. As a result of the computer intrusion, the retailer has spent more than $195 million in 'learning how to protect online payment systems from hackers,' according to the company's third-quarter 2009 regulatory filing:

TJX suffered an unauthorized intrusion or intrusions (collectively, the "Computer Intrusion") into portions of its computer system, which was discovered during the fourth quarter of the fiscal year ended January 27, 2007 ("fiscal 2007") and in which TJX believes customer data were stolen. Since the discovery of the Computer Intrusion through the end of the fiscal 2009 third quarter, TJX had cumulatively expensed $195 million with respect to the Computer Intrusion....

At October 25, 2008, TJX had set aside an additional $58 million in reserves, reflecting management's current estimate of remaining probable losses from the breach, including cash liabilities from pending customer lawsuits, investigations, and credit monitoring protection services for affected customers. In the age of cybercrooks, it is not just shoplifters in their brick and mortar stores that retailers like TJX need to keep an eye on.

David Phillips

David Phillips has more than 25 years' experience on Wall Street, first as a financial consultant and then as an equity analyst for several investment banking firms. He sifts through SEC filings for his blog The 10Q Detective, looking for financial statement soft spots, such as depreciation policies, warranty reserves and restructuring charges. He has been widely quoted in outlets such as BusinessWeek, The International Herald Tribune, Investor's Business Daily, Kiplinger's Personal Finance, and The Wall Street Journal.

More from CBS News