Analysts at Cambridge, Mass.-based Forrester Research published a report on April 10 that proposed that TJX's breach could eventually cost the company as much as $1.35 billion in combined expenses and lost business.
Forrester's number comes from that firm's estimate of a cost per lost record of $90 and an estimate that around 15 million of the 45 million stolen credit records involved in the incident were for unexpired debit and credit cards.
For its part, Ponemon estimates that the cost to replace stolen records is a lot higher -- $182 per card -- but it also said that no company that has experienced a data loss has spent more than $22 million to recover from it.
At the end of the day, it's still difficult to tie breaches to specific financial repercussions beyond what companies spend on notifying their customers and setting up credit monitoring services for those affected by information losses, said Khalid Kark, the Forrester analyst who wrote the report.
"The perception is that people are concerned, but the reality is that it is very hard to change habits. They might tell you they will change their spending behavior, but when it comes down to real life, that's a different circumstance," Kark said. "Consumers have very short memories and may not actually punish a brand in the long-term if the company appears to get the right protections in place."
Shareholders would seem to be even less put-off by data incidents as long as companies appear to be making the right moves to reassure customers and improve security in response to breaches, the analyst said.
"We're already hearing investors in TJX saying that they have confidence that management is doing the right things," Kark said. "You can argue that stock price is a combined indicator of people's confidence in a company, and even when the stock price is influenced by something like this, in most cases it doesn't appear to have a long-term affect."