This excerpt taken from the TJX 10-K filed Mar 28, 2007.
We have expended and expect to expend significant time and money as a result of the Computer Intrusion we suffered, and as a result of the Computer Intrusion, we could incur material losses, and our reputation and business could be materially harmed.
We suffered the Computer Intrusion in which we believe that customer data were stolen. We are conducting an investigation of the Computer Intrusion. To date, we have been able to identify only some of the information that we believe was stolen. Deletions in the ordinary course of business prior to discovery of the Computer Intrusion and the technology used by the Intruder have, to date, made it impossible for us to determine much of the information we believe was stolen, and we believe that we may never be able to identify much of that information. Further, we cannot predict whether we will learn information in addition to or different from the information that we now believe about the Computer Intrusion and the data believed stolen.
While we have been advised by law enforcement authorities that they are investigating fraudulent use of payment card information believed stolen from TJX, we do not know the extent of any fraudulent use of such information. Some banks and payment card companies have advised us that they have found what they consider to be preliminary evidence of possible fraudulent use of credit payment card information that may have been stolen from us, but they have not shared with us the details of their preliminary findings. We also do not know the extent of any fraudulent use of any of the personal information believed stolen. There could be significant fraudulent use of the information believed stolen from us.
We have incurred capital and other costs to investigate and contain the Computer Intrusion, strengthen our computer security and systems, and communicate with customers, as well as legal, technical and other fees, and we expect to continue to incur significant costs for these purposes. Certain banks have sought, and other banks and payment card companies may seek, either directly against us or through claims against our acquiring banks as to which we may have an indemnity obligation, payment of or reimbursement for fraudulent card charges and operating expenses (such as costs of replacing and/or monitoring payment cards thought by them to have been placed at risk by the Computer Intrusion) that they believe they have incurred by reason of the Computer Intrusion. In addition, payment card companies and associations may seek to impose fines by reason of the Computer Intrusion.
Various litigation has been or may be filed, and various claims have been or may be otherwise asserted, against us and/or our acquiring banks for which we may be responsible, on behalf of customers, banks, payment card companies
and shareholders seeking damages allegedly arising out of the Computer Intrusion and other related relief. We intend to defend such litigation and claims vigorously, although we cannot predict the outcome of such litigation and claims. Various governmental entities are investigating the Computer Intrusion, and although we are cooperating in such investigations, we may be subject to fines or other obligations. We cannot predict what actions such governmental entities will take and what the consequences will be for us. The ultimate resolution of such litigation, claims and investigations could have a material adverse effect on our results of operations and financial condition. Regardless of the merits and ultimate outcome of these matters, litigation and proceedings of this type are expensive to respond to and defend, and we could devote substantial resources and time to responding to and defending them.
Beyond the charge we took in the fourth quarter of fiscal 2007, we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion. These losses may include losses arising out of claims by payment card companies and banks, customers, shareholders and governmental entities; technical, legal, computer system and other expenses; and other potential liabilities, costs and expenses. Such losses could be material to our results of operations and financial condition. Further, the publicity associated with the Computer Intrusion could materially harm our business and relationships with customers.
Since discovering the Computer Intrusion, we have taken steps designed to strengthen the security of our computer systems and protocols and have instituted an ongoing program to continue to do so. Nevertheless, there can be no assurance that we will not suffer a future data compromise. We rely on commercially available systems, software, tools and monitoring to provide security for processing, transmission and storage of confidential customer information, such as payment card and personal information. We believe that the Intruder had access to the decryption algorithm for the encryption software we utilize. Further, the systems currently used for transmission and approval of payment card transactions, and the technology utilized in payment cards themselves, all of which can put payment card data at risk, are determined and controlled by the payment card industry, not by us. Improper activities by third parties, advances in computer and software capabilities and encryption technology, new tools and discoveries and other events or developments may facilitate or result in a further compromise or breach of our computer systems. Any such further compromises or breaches could cause interruptions in our operations, damage to our reputation and customers willingness to shop in our stores and subject us to additional costs and liabilities.