The cost of the TJX data breach could be as high as $1.6 billion, a figure that dwarfs the official costs mooted by the US retailer, a security vendor has claimed.

The estimate from security vendor Protegrity puts the bill for cleaning up the effects of the breach as being in the billions, a figure it has backed up for credibility’s sake with detailed cost calculations.

TJX Corporation recently took a $12 million after-tax charge on its accounts relating to the breach for the first quarter of 2007, a sum widely seen as underplaying the financial consequences of a data theft that affected 46 million customers.

But according to Protegrity, the real costs will be racked up in a blizzard of simple issues that TJX will not be able to avoid, including the biggest of them all, contacting and helping customers. It assumes that each customer record will cost TJX $5 to service, and that 20 percent of those whose data was breached will request a credit watch. The result is a quite plausible bill of $1.242 billion for this alone.

Smaller costs include legal advice ($12 million per annum), internal investigations ($8.1 million), public relations ($3.4 million). More contentiously, Protegrity reckons that if 10 percent of the records are compromised by criminals, at an average cost of $50 per record, the charge back to TJX will be $228 million in direct costs. The probability of an exploit on any one record is said to be about one in three.

Surprisingly, official action against the company in the form of regulatory fines will make up only a trifling $1.5 million of its total hit.

The theft of customer data from the TJ Maxx and TK Maxx store chains run by TJX, is estimated to be the biggest such heist ever recorded. Attackers are believed to have broken into the company’s databases through unprotected wireless access points over a period of some months in 2006.