It initially appeared that the size of the TJX breach was around 48 million credit cards, although the theoretical maximum was as high as 200 million cards. Recently, banks are finding that the TJX breach was more like 94 million cards. That nearly one credit card for every household in the U.S.
VISA and MasterCard have lost tremendous sums of money due to this breach alone. Losses are estimated at $1.04 to $1.28 per card, which translates into a total loss as high as $120 million. But the total cost of the incident will be much higher, close to $1 billion, when counting settlements and lost sales as well as the direct losses cited here.
It is common knowledge that the most likely attack vector was unsecure wireless networks using the extremely weak WEP protocol. WEP was known to be weak in 2000, and yet six years later TJX (and thousands of other businesses) were relying upon it to protect their networks. That’s about as effective as a sign reading “Please don’t come in” on an unlocked door.
The Canadian government’s privacy commissioner released a report criticizing TJX for its weak security. This report is succinct in its findings, and is good reading if you have yet read a detailed account of the TJX breach. TJX’s 10-K report is another good source of information.
TJX breach was twice as big as admitted, banks say (The Register)
Banks claim TJX breach twice as bad (ZDNet)