NEW YORK - TJX took a minimal hit in 2007 after it disclosed a major data breach of customer information at its T.J. Maxx, Marshalls and HomeGoods stores.
But so far, Target Corp. hasn’t fared as well. More than two months after revealing Dec. 19 that hackers stole credit-card numbers and personal data of millions of its customers, the retailer’s sales, profit and stock prices have dropped.
What’s worse, the nation’s second-largest discounter faces the prospect that some shaken shoppers may not return to its stores for a long time. In fact, Target on Wednesday said it expects business to be muted for some time, although it said sales are recovering since the breach was disclosed.
TJX declined to comment for this story.
John Mulligan, Target’s chief financial officer, told The Associated Press on Wednesday that the most loyal customers have stuck with Target but wooing back others will take time.
“We need to remind people why they fell in love with Target,” he said.
TJX found itself in the same situation seven years ago when it announced what was the largest security breach by a retailer at the time. Still, the fortunes of TJX Cos. and Target may wind up being quite different.
Although the data breaches at the two retailers each affected millions of shoppers, analysts say a combination of factors makes Target’s challenge bigger. Those include the timing of each company’s disclosure and Americans’heightened sensitivity toward privacy concerns now versus in 2007.
The retailers’ fates are playing out differently so far. TJX’s stock slid 12 percent to as low as $13 in the weeks after its security-breach disclosure. But by the end of 2007, shares rebounded and today, TJX shares are trading around $58.
Sales also weren’t derailed in the aftermath of the TJX breach: Revenue at stores opened at least a year, an important retail measurement, were up a better-than-expect-ed 4 percent for the year after the breach.
Meanwhile, Target said on Wednesday that its profit in the fourth quarter fell 46 percent on a revenue decline of 5.3 percent as the breach scared off customers worried about the security of their private data. Revenue at stores open at least a year fell 2.5 percent.
Target’s stock had fallen 11 percent since it disclosed the breach in mid-December. But on Wednesday, investors pushed shares up nearly 7 percent on the news of recovering sales. The stock is now trading around $60, down 5 percent since the theft was disclosed.
Analysts say one reason Target is suffering more than TJX did may have something to do with the timing of their disclosures.
Target disclosed its breach just before Christmas, revealing that 40 million credit- and debit-card accounts had been compromised between Nov.27 and Dec. 15. Target said it disclosed its breach within days of finding out about it, shortly after the news was leaking online. But the news also came at the worst time for a retailer: During the final days before Christmas, the busiest shopping period of the year.
Target later revealed the theft was wider than originally believed. On Jan. 10, it said hackers also stole personal information - including names, phone numbers, and email and mailing addresses - from as many as 70 million customers.
Target has said there is some overlap between the two batches of data stolen. When the final tally is in, Target’s breach may eclipse the theft at TJX, which is the largest incident for a retailer on record.
Conversely, TJX found out about its breach in mid-December 2006 but didn’t make it public until the next month. TJX’s theft compromised more than 90 million records over an 18-month period starting in mid-2005.
In March 2007, the retailerdisclosed that 45.6 million credit cards were compromised, but a group of banks suing the retailer put that number at more than 90 million in an October 2007 court filing.
The fallout from Target’s breach also comes as the company is struggling with other problems; TJX’s business was doing well at the time of its disclosure.
Target was already experiencing sluggish sales in the U.S. as it faced increased competition from online retailers and other rivals. Abroad, it is facing disappointing results from its first international expansion into Canada.
“This is hitting [Target] when they already have rough challenges,” said Amy Koo, an analyst at Kantar Retail, a consulting group. “This is taking huge attention away from critical long-term issues.”
On the other hand, the breach at TJX happened as its formula of offering big discounts on major fashion and home brands was resonating even more as the country was heading into a recession.
Target may also pay a heftier price financially than TJX because its breach could cause more damage.
Target said it can’t yet estimate how much the data breach will cost it in total. But Avivah Litan, a security analyst at technology research firm Gartner Inc., a technology research firm, puts the costs of the Target breach at between $400 million and $450 million, including bills associated with fines from credit-card companies and services for its customers such as free credit-report monitoring.
But TJX’s costs, which Litan estimated at $275 million, pale in comparison. That included costs associated with lawsuit settlements and fixing its security systems.
Litan said Target faces more costs because there was more damage from the breach. In the case of TJX, about three-quarters of the cards compromised had either expired by the time of the theft or had masked data in the magnetic strip, meaning the information was stored as asterisks rather than numbers.
“It took the criminals much longer to get them to the black market and then turned into counterfeit cards,” Litan said of the TJX breach. “This time, the criminals moved with lightning speed to cash out.”
Target also may be hurt more because Americans are more aware of security concerns since TJX’s breach.
Robert Passikoff is president of Brand Keys Inc., a New York customer research firm, which has an index that tracks shoppers’ expectations on price, reputation and store experience for different categories of stores. Any score under 70 means a brand is in trouble, said Passikoff, who believes shoppers have a more heightened sense of expectations regarding security nowadays.
Target’s score has dropped 11 percentage points to 77 percent since the theft was disclosed. In the discount category, Target fell from the No. 2 spot after Wal-Mart Stores Inc. to the No. 3 spot behind Kmart. Conversely, in the wake of the TJX breach, T.J. Maxx, its largest business,had only a three percentage point drop to 81 percent, which he said is insignificant.
Still, shoppers such as Colleen McCarthy, 26, give Target hope. McCarthy, who lives in Cleveland, has pulled back dramatically on shopping at Target since she was alerted by Chase bank that thieves had cleared $150 from her bank account, which made her rent check bounce. But McCarthy is slowly warming up to shopping at Target more frequently again.
“I can’t see avoiding it forever,” she said. “I am hoping they stepped up security.”
Business, Pages 73 on 03/02/2014