Many information security professionals find it difficult to put a number on the cost of a breach and thus justify requesting more funds in their budget. Here’s a useful piece of information for them - the TJX companies reported that in the first quarter of FY08 (Feb - Apr 2007) the breach cost them $17 million. The main components of the price tag were investigating the incident, upgrading the company’s network security, communicating with its customers, and legal fees.
Note that this cost covers only the three months for the reporting quarter and does exclude lost goodwill which is very hard to estimate but surely the damage to TJX’s reputation is significant. The company estimates that the costs for the next quarter would be similar. But this is not all. In a statement TJX said,
Beyond these costs, TJX does not yet have enough information to reasonably estimate the losses it may incur arising from this intrusion, including exposure to payment card companies and banks, exposure in various legal proceedings that are pending or may arise, and related fees and expenses, and other potential liabilities and other costs and expenses.
With the increasing number of lawsuits against TJX the cost will surely increase.