Huge Data Breach Losses Aren't Forcing Companies to Bolster Security
In October 2015, hackers compromised the Website of British telecommunications firm TalkTalk, likely using one of 11 known vulnerabilities in the site to steal the personal details of 157,000 customers, including bank-account information on more than 15,000 people.
Earlier this month, the bill for the lapse in security came due: The company saw its profits decline by more than half in the first quarter of 2016. In its annual report released in February, the company revealed that it lost 95,000 subscribers and attributed more than £55 million (US$80 million) in losses to the hack, including the "exceptional costs of restoring our online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades" that the company offered to retain customers.
TalkTalk is the latest company to suffer significant lost business following a breach. While past analyses have found that breaches have not hurt companies' long-term stock price, businesses and their management are increasingly being called to account for significant recovery costs and lost business following successful cyber-attacks.
"The fact that we are moving into a period where people are being held liable says a lot," said Chris Novak, a director of the RISK computer investigations team at business-services firm Verizon Enterprise. "The impact is moving up the stack. It is no longer just an IT-level issue, it is a board or C-level issue."
The cost of even huge data breaches are not enough to convince companies to spend vastly more to bolster IT security, since neither investors nor customers permanently abandon them.
Yet it may not be enough. While the sacking of CEOs has certainly drawn the attention of executive teams and boards, the financial penalties of breaches tend to be short-lived and easily subsumed by most large companies. When hacker Albert Gonzales stole information on nearly 100 million credit and debit cards from Heartland Payment Systems in 2009, the company lost more than 75 percent of its stock value in three months. Yet the price bounced back, and now its stock is up nearly 500 percent since that time.