The numbers are out on the largest data security breach in history, and they're not pretty.
U.S.-based TJX Companies, Inc., which owns Winners, Homesense and TJ Maxx, managed to expose at least 45.7 million credit card numbers, as well as other personal data of customers, to a sustained, multi-year hacker attack.
Every time an outraged shopper is interviewed in front of a Winners store, the company pays for its carelessness in the court of public opinion.
But is that enough? Maybe not. In fact, perhaps someday you, Mr. or Ms. Winners shopper, will be getting a cheque in the mail.
Read on.
TJX admitted recently in a filing with the U.S. Securities and Exchange Commission that it "learned of suspicious software on our computer systems" on Dec. 18, 2006.
Doesn't say how. Doesn't say who. They do mention that General Dynamics Corp. and International Business Machines Corp., leading computer security and incident response firms, were engaged to assist in the investigation.
The story got uglier when it came out that credit card information dating back to January 2003 had apparently been compromised, and that the bad guys even got the names, addresses and driver's licence numbers of people who returned merchandise without receipts to TJ Maxx stores in the U.S. and Puerto Rico. That's quite enough data to do some nasty identity thieving.
For a while, it looked like the computer intrusion was just a theoretical risk.
Maybe the people who stole the files got cold feet and wouldn't actually use the credit card numbers.
No such luck.
In late March, six individuals in Florida were arrested while allegedly on a TJX-fuelled shopping spree.
They were accused of buying huge piles of gift cards at Wal-Mart and Sam's Club, the affiliated big-box store in the U.S.
Before we criticize their taste in retail, it should be noted that store gift cards are anonymous, largely unregulated, and oh-so-easy to sell on eBay (where they fetch close to their face value) or even in the parking lot of the store (at a small discount.)
Or you can just buy stuff with them. According to the Florida Department of Law Enforcement (FDLE), the accused allegedly redeemed the cards for items including "computers, gaming devices and big-screen televisions."
Three of the six have pleaded guilty, while the others go to trial later this month.
But it's important to note that those arrested are not believed to be the hacker masterminds behind the TJX heist.
Nor were they rocket scientists, despite living in Florida. Sure, it's alleged they loaded up the gift cards in $400 chunks because they knew that Wal-Mart requires ID for cards with more than $500 on them. But $24,000 worth of cards were purchased at once.
Hey, that's not going to attract attention.
And get this - they allegedly redeemed some of them at Sam's Club, a members-only shopping warehouse that had their real names and driver's licence photos on file.
It wasn't too hard to match some of the accused up against images from surveillance videos.
(Note to self: Don't commit crime in my own neighbourhood.)
The estimated losses, according to FDLE, currently total more than US$8 million in Florida and are still being calculated.
Who pays? Conventional wisdom says "all of us," as businesses pass on costs to consumers. In the short term, the banks issuing the credit cards are certainly on the hook as outraged cardholders protest bogus charges.
TJX may get socked with some stiff fines. The U.S. Federal Trade Commission (FTC) confirmed that it has launched an investigation of the company.
A comparable data breach investigated by the FTC cost Georgia-based Choicepoint US$10 million in civil damages and $5 million in customer redress.
Then, there are the class-action lawsuits. TJX discloses that "a number of putative class actions have been filed against TJX in state and federal courts in Alabama, California, Massachusetts and Puerto Rico, and in provincial Canadian courts in Alberta, British Columbia, Manitoba, Ontario, Quebec and Saskatchewan."
The outcomes will be a long time coming. Lawyers and judges don't hurry.
To make a bad year worse, TJX says it has also "been advised that the Office of the Privacy Commissioner of Canada and the Office of the Information and Privacy Commissioner of Alberta have initiated formal investigations of TJX."
A spokesperson for the Alberta commissioner confirms the investigation is ongoing and says they expect to have a report out in mid-May, possibly jointly with the federal commissioner.
What is clear is that any money TJX may have saved by not thinking real hard about computer security is going up in smoke in lawyers fees.
I'm pretty confident that I was a victim of the Winners fiasco, since I have indeed shopped there and recently received an unsolicited shiny new Visa card from my bank with a vague letter about security breaches.
Now I get to locate all the pre-authorized transactions that had the old number, and waste my time changing them. Not to mention watching my statements like a hawk for the next few months.
Surely, my time is worth something.
So, in an academic paper presented at the recent Western Social Science Association conference in Calgary, I argue that the time has come to monetize the cost of privacy breaches in favour of the consumer.
Yes, monetize, not just notify.
Several U.S. states, notably California, have strict laws requiring that consumers be alerted when their private data is compromised.
Canada's federal privacy commissioner, in a recent submission to a House committee reviewing the Personal Information Protection and Electronic Documents Act (PIPEDA), argues for some form of "duty to notify" requirement.
It says the Winners case, and another involving CIBC's Talvest Mutual Fund, "have generated an urgency to resolve the data-breach notification issue."
"Although several organizations have voluntarily informed our office of security breaches, other organizations will likely inform us or the individuals affected only if obligated to do so."
The Canadian Internet Policy and Public Interest Clinic, noting that most U.S. states have some form of mandatory privacy breach disclosure, agrees that PIPEDA should be amended to require timely disclosure and that "failure to notify affected individuals as required under the act should be subject to tough penalties."
Of course, disclosure notices can become like spam if you get them too often. But maybe if they had a cheque inside they wouldn't get tossed out with the junk mail.
Here's a suggestion to TJX president and CEO Carol Meyrowitz about how to treat her privacy victims. Dump the weepy personal apology on your website, and send us each a $25 gift card to lure us back into your stores.
Do it now, before even more of your "valued customers" (your term for us) apply the "thrill of the find" (your marketing slogan) to you in court.
(Tom Keenan is a professor at the University of Calgary and an expert on technology and its social implications. He can be reached at keenan@businessedge.ca)
