NEW YORK (AP) - History doesn’t always repeat itself.
The hit to TJX Cos. was minimal after it disclosed in 2007 a massive data breach of customer information at its T.J. Maxx, Marshalls and HomeGoods stores.
But Target Corp. isn’t faring as well: More than two months after it revealed that hackers stole credit card numbers and personal data of millions of its customers, Target’s sales, profit and stock prices have dropped.
What’s worse, the nation’s second largest discounter faces the prospect that some shaken shoppers may not return to its stores for a long time. In fact, Target on Wednesday said it expects business to be muted for some time, though it said sales are recovering since the breach was disclosed in mid-December.
TJX declined to comment for this story, but John Mulligan, Target’s chief financial officer, told The Associated Press on Wednesday that the most loyal customers have stuck with Target, but wooing back others will take time.
“We need to remind people why they fell in love with Target,” he said.
TJX found itself in the same situation years ago when it announced what was the largest security breach by a retailer at the time. Still, the fortunes of TJX Cos. and Target may wind up being quite different.
Although the data breaches at the two retailers each affected millions of shoppers, analysts say a combination of factors makes Target’s challenge bigger. Those include the timing of each company’s disclosure and Americans’ heightened sensitivity toward privacy concerns now versus before the TJX breach.
The retailers’ fates are playing out differently so far. TJX’s stock slid 12 percent in the weeks after the breach disclosure to as low as $13. But by the end of 2007, the shares rebounded and today, they’re trading at about $58.
Sales also weren’t derailed in the breach’s aftermath: Revenue at stores opened at least a year, an important retail measurement, were up a better-than-expected 4 percent for the year following the breach.
Meanwhile, Target said on Wednesday that its profit in the fourth quarter fell 46 percent on a revenue decline of 5.3 percent as the breach scared off customers worried about the security of their private data. Revenue at stores open at least a year fell 2.5 percent.
Target’s stock had fallen 11 percent since it disclosed the breach in mid-December. But on Wednesday, investors pushed shares up nearly 7 percent on the news of recovering sales. The stock is now trading at about $60, down 5 percent since the theft was disclosed.
TMI: TOO MUCH INFORMATION?
Analysts say one reason Target is suffering more than TJX did may have something to do with the timing of their disclosures.
Target disclosed on Dec. 19 data breach compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15. Target said it disclosed its breach within days of finding out about it, shortly after the news was leaking online. But the news came at the worst time for a retailer: During the final days before Christmas, the busiest shopping period of the year.
Then, Target revealed the theft was wider than originally believed a month later. On Jan. 10, it said hackers also stole personal information - including names, phone numbers as well as email and mailing addresses - from as many as 70 million customers.
Target has said there is some overlap between the two batches of data stolen. When the final tally is in, Target’s breach may eclipse the theft at TJX, which is the largest incident for a retailer on record.
Conversely, TJX found out about its breach in mid-December 2006, but didn’t make it public until the following month. TJX’s theft compromised more than 90 million records over an 18-month period starting in mid-2005.
Initially, in March 2007, the retailer disclosed that 45.6 million credit cards were compromised, but a group of banks suing the retailer put that number at more than 90 million in an October 2007 court filing.
STRUGGLES ELSEWHERE
The fallout from Target’s breach also comes as the company is struggling with other problems whereas TJX’s business was doing well at the time of its disclosure.
Target was already experiencing sluggish sales in the U.S. as it’s faced increased competition from online retailers and other rivals. Abroad, it’s facing disappointing results from its first international expansion into Canada.
“This is hitting (Target) when they already have rough challenges,” said Amy Koo, an analyst at Kantar Retail, a consulting group. “This is taking huge attention away from critical long-term issues.”
On the other hand, the breach at TJX happened as its formula of offering big discounts on major fashion and home brands was resonating even more as the country was heading into a recession.
COSTS, COSTS, COSTS
Target may also pay a heftier price financially than TJX because it’s breach could cause more damage.
Target said it can’t yet estimate how much the data breach will cost it in total. But Avivah Litan, a security analyst at technology research firm Gartner Inc., a technology research firm, puts the costs of the Target breach at between $400 million and $450 million, including bills associated with fines from credit card companies and services for its customers like free credit report monitoring.
But TJX’s costs, which Litan estimated at about $275 million, pale in comparison. That included costs associated with lawsuit settlements and fixing its security systems.
Litan said Target faces more costs because there was more damage from the breach. In the case of TJX, about three-quarters of the cards compromised had either expired by the time of the theft or had masked data in the magnetic strip, meaning the information was stored as asterisks rather than numbers.
“It took the criminals much longer to get them to the black market and then turned into counterfeit cards,” Litan said of the TJX breach. “This time, the criminals moved with lightning speed to cash out.”
FIRST OUT OF THE GATE
Target also may be hurt more because Americans are become more aware of security concerns since TJX’s breach.
Robert Passikoff is president of Brand Keys Inc., a New York customer research firm, which has an index that tracks shoppers’ expectations on price, reputation and store experience for different categories of stores. Any score under 70 means a brand is in trouble, said Passikoff, who believes shoppers have a more heightened sense of expectations regarding security nowadays.
Target’s score has dropped 11 percentage points to 77 percent since the theft was disclosed. In the discount category, Target fell from the No. 2 spot after Wal-Mart Stores Inc. to the No. 3 spot behind the struggling-retailer Kmart. Conversely, in the wake of the TJX breach, T.J. Maxx, its largest business, had only a three percentage point drop to 81 percent, which he said is insignificant.
Still, shoppers like Colleen McCarthy, 26, give Target hope. McCarthy, who lives in Cleveland, has pulled back dramatically on shopping at Target since she was alerted by Chase bank that thieves had cleared $150 from her bank account, which made her rent check bounce. But McCarthy is slowly warming up to shopping at Target more frequently like she used to.
“I can’t see avoiding it forever,” she said. “I am hoping they stepped up security.”
Please read our comment policy before commenting.