Despite industry estimates that retail data breaches typically cost about $200-$300/per compromised card, a Maine government report found the cost to have been $7.49 for TJX and $6.77 for Hannaford. That's about 40-50 times less.
Security vendors are always fond of releasing the most extreme estimates of data breach costs, to justify an ROI argument for retailers paying them a lot of money. But retailers can contact consumers in very cost-effective ways and can often get communication help from others involved, such as the card brands and the processing bank.
But how high were those industry estimates? In 2007, Forrester Research tagged the "per exposed record" cost at between $90 and $305. Later in 2007, the Ponemon Institute put that figure at $197, an increase from the $182 it reported in 2006.
But Maine officials saw it quite differently. During the examined period, TJX reported 64,825 affected accounts and said that it spent $485,245 to deal with them, or $7.49 for each one. Hannaford told government officials that, during the period examined, 316,432 accounts were affected and it spent $2,143,450 to deal with them, or $6.77 for each one.
Why are the figures so radically different? One critical issue is that a large number of impacted cards may not need any expenses at all, such as if the cards had already been shut down or had expired. Also, not every card is necessarily reissued.
The Maine report broke down the expenses for each retailer. With TJX, of the almost half-million dollars spent during the period examined, 14.8 percent paid for an investigation, 15 percent for communication and 58.8 percent for actually reissuing some of the cards. Hannaford's numbers were similar, with 11.6 percent spent on the investigation, 13.7 percent on communication and 53.9 percent on reissuing cards.