Makers of security software designed to help companies fight such data loss contend that IT executives, when they first try out one of the programs, are typically shocked to find out where all their sensitive data is located and how it is being handled by employees and business partners.

"Most people are really surprised by what they see. We were even shocked when we turned on the ILP technology for the first time," said Devin Redmond, director of security products at San Diego-based Websense, which acquired information leakage prevention (ILP) specialist PortAuthority Technologies for $90 million in December 2006.

"It is amazing to see how much data is moving around the network and being used in ways that existing security policies don't cover," Redmond said. "For companies who haven't addressed the problem that are attacked, the biggest challenge is simply figuring out where your sensitive data might reside to begin with, and what was done to it."

Privacy watchdogs said that many businesses, specifically retailers such as TJX, have been aggregating vast amounts of sensitive consumer data for years with little regard for its security.

Because businesses struggle just to understand the parameters of such an attack, there is little hope that large companies will soon be able or willing to more intelligently defend their data, said Lillie Coney, associate director at the Electronic Privacy Information Center (EPIC) in Washington, DC. -- even when faced with glaring examples of what can go wrong.