
The freefall primarily was due to an after-tax second-quarter charge of US$118 million related to the breach. The amount is comprised of US$11 million for costs incurred during the quarter and US$107 million in reserve funds to be used in the future for "probable losses," according to the filing.
"We have continued to learn more about the computer intrusion and are now able to estimate the company’s liability," Carol Meyrowitz, president and chief executive officer, said in a statement Tuesday.
Some experts, however, contend TJX will end up paying much more.
In fact, TJX may spend in the US$500 million range to deal with the breach fallout, Mary Monahan, a partner at Javelin Strategy & Research, told SC Magazine.com. Much of the cost is expected to come from litigation fees and government fines, she said.
"The amount they've set aside [US$107 million], I don't think that's the end," she said.
Meanwhile, net sales at the company, the parent of Marshall’s and T.J. Maxx, modestly rose from US$3.9 billion in 2006’s May-to-July period to US$4.3 billion in the same period this year, the filing said.
TJX reported a similar rise in the first quarter, when sales increased six percent to US$4.1 billion.
"Over the past months, we have worked diligently to further strengthen the security of our computer systems," Meyrowitz said. "Our customers remain our top priority, and I sincerely thank them for their support during this time."
The jump in sales may surprise some, especially after an April Javelin study that showed 77 percent of consumers intended to stop shopping at merchants that incurred a data breach. But TJX may be an anomaly because it controls the discount clothing market share.
"I think in a TJX situation, there's not a lot of competition," said Monahan, who led the study that polled 1,200 US debit and credit card users.
"There's not a lot of other places to shop that are similar to a T.J. Maxx or Marshall's. If you're going to have to travel 50 miles to shop at a place like that, consumers are going to react in a way that makes sense for their pocketbooks."
A Ponemon Institute study last year showed that breaches cost companies an average of US$182 per lost customer record, resulting in a total average expenditure of US$4.8 million.
But the TJX event, in which wireless hackers spent many months secretly scouring the company’s database, was one of the most reported data-loss incidents of all time.
So far, authorities have busted at least one criminal gang for buying stolen TJX records. The intruders have not been caught.