I wrote about this breach a few months ago and wanted to follow up with fallout. I got this update from Computer World. The key take away: in storing credit card and other sensitive customer data, it's cheaper to protect than it is to clean up.
The company in January acknowledged that 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipsed the 40 million records compromised in a mid-2005 breach at CardSystems Solutions Inc., making the TJX compromise the worst ever involving the loss of personal data. The Framingham, Mass.-based discount retailer Tuesday reported after-tax charges of $118 million in its second quarter ended July 28 to cover potential losses because of the data breach. The charge includes $11 million in costs incurred during the quarter and a reserve of $107 million to cover potential future losses related to the breach. The reserves reflect the company's best estimation of probable future costs stemming from litigation, cash liabilities, investigations and other claims, the company said. Deven Bhatt, director of corporate security at Airline Reporting Corp., said the rising costs related to the TJX breach should help him convince management of the importance of heavy security investments.
While this breach has dominated the headlines there other recent breaches that were also pretty significant. The Card Associations like Visa and MasterCard have really been pushing hard on processors and merchants to comply. They are worried that if the industry can't succcesfully tame this, someone like Big Brother may want to get more closely involved.
The fundamental problem I see is that even when a company becomes PCI compliant, it doesn't necessarily mean that they are secure. They are two different things. PCI efforts will certinaly make breaches more difficult, but they won't prevent them. It's a steped process and perhaps both will come in the same package down the road.