In October 2015, hackers compromised the Website of British telecommunications firm TalkTalk, likely using one of 11 known vulnerabilities in the site to steal the personal details of 157,000 customers, including bank-account information on more than 15,000 people.
Earlier this month, the bill for the lapse in security came due: The company saw its profits decline by more than half in the first quarter of 2016. In its annual report released in February, the company revealed that it lost 95,000 subscribers and attributed more than £55 million (US$80 million) in losses to the hack, including the "exceptional costs of restoring our online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades" that the company offered to retain customers.
TalkTalk is the latest company to suffer significant lost business following a breach. While past analyses have found that breaches have not hurt companies' long-term stock price, businesses and their management are increasingly being called to account for significant recovery costs and lost business following successful cyber-attacks.
"The fact that we are moving into a period where people are being held liable says a lot," said Chris Novak, a director of the RISK computer investigations team at business-services firm Verizon Enterprise. "The impact is moving up the stack. It is no longer just an IT-level issue, it is a board or C-level issue."
Yet it may not be enough. While the sacking of CEOs has certainly drawn the attention of executive teams and boards, the financial penalties of breaches tend to be short-lived and easily subsumed by most large companies. When hacker Albert Gonzales stole information on nearly 100 million credit and debit cards from Heartland Payment Systems in 2009, the company lost more than 75 percent of its stock value in three months. Yet the price bounced back, and now its stock is up nearly 500 percent since that time.
Following its 2013 breach, Target paid out more than $252 million, of which $90 million was reimbursed by insurance. While seemingly a large sum, the damages only amounted to 0.1 percent of the company's 2014 sales, Benjamin Dean, a fellow for Internet governance and cyber-security at Columbia University's School of International and Public Affairs, pointed out in an article last year.
And, in spite of the $80 million in losses, TalkTalk's breach costs only cut into profits and did not result in an overall fiscal-year financial loss for the company. In fact, the company's efforts to provide customer incentives resulted in churn reaching an all-time low in the last quarter of 2015.
Overall, the losses are not enough to drive companies to spend appreciably more on security, Lillian Ablon, cyber-security and emerging technologies analyst at RAND, told eWEEK.
"Sure they feel the pain, and some stock prices have gone down, but no one has really felt a lot of pain," she said. Part of the problem is that consumers may be tired of the repeating pattern of breaches and not sure what they can do to change corporate behavior, Ablon said.