Epsilon Data Breach to Cost Billions in Worst-Case Scenario

The ultimate price tag of the data breach at email marketing company Epsilon could be as high as $4 billion, depending on what happens to the stolen data and customer churn, a cyber-risk analytics firm said.

Email marketing services company Epsilon's recent data breach could cost the company as much as $4 billion, according to a worst-case scenario outlined in a recent report.

Epsilon will face years of repercussions, up to $225 million in liabilities and $45 million in lost business, cyber-risk analytics and intelligence firm CyberFactors said in a report released April 29. The report broke down costs for forensics audits and monitoring, fines, litigation and lost business for Epsilon and its affected customers in a three-year outlook.

The total cost of the Epsilon breach could eventually run as high as $3 billion to $4 billion, given that compromised email addresses could be used by hackers and phishers to gain access to sites that contain consumers' personal information, according to CyberFactors. This figure includes costs to Epsilon, its customers and the individuals whose email addresses were stolen. Until a spear phishing campaign that can be directly linked to the breach occurs, the estimate remains "theoretical," according to the report.

"Cloud companies would be wise to think more like banks, insurance companies and hedge funds, and not just aggregators of the world's precious data and technology dependencies," said Regina Clark, research and analytics director for CyberFactors.

The company disclosed March 30 that attackers had breached its databases and stolen email addresses for two percent of its customers, which included major names such as Best Buy, Citibank and the Walt Disney Company. Epsilon has not revealed the number of affected consumers or the number of email addresses stolen.

Despite Epsilon's claim of two percent affected customers on an April conference call with analysts, it was more likely that the breach involved 75 companies, or three percent, of the company's client roster, according to the CyberFactors report. The repercussions, which include notifying customers and changing marketing strategies, would wind up costing $412 million. Combine that with liabilities, and Epsilon is looking at an aggregate cost of $637 million, or more than half a billion dollars, for an email database.

Ed Heffernan, CEO of Alliance Data had projected no "meaningful" costs or liability related to the incident.

Each customer will likely face $5.5 million in costs, which would include notifying consumers, settlements and legal fees, compliance costs and loss of business.

CyberFactors "conservatively estimated" the number of compromised email addresses at 60 million. The analysis assumed that the affected Epsilon customers had roughly equal numbers of emails compromised.

Epsilon will likely be paying for the breach for years, as 51 percent of the costs will be incurred in year one, 42 percent in year two, or 2012, and seven percent in year three and thereafter.

"The Epsilon event suggests a much more profound financial risk environment is now upon us," Clark said.

Epsilon, and its parent company, Alliance Data Systems, are understandably concerned about losing customers as a result of the breach. The "vast, vast majority, if not all" of the clients would stick around, Heffernan had predicted after the breach. CyberFactors said it was more likely that Epsilon will lose both current and potential customers scared away by the news.

Loss of revenue related to customer churn could range from$6.1 million, if only one percent of customers moved their business elsewhere, to more than $30 million if five percent of the customers left, according to the report.

The economics of business risk for cloud providers and their customers can no longer be ignored and cloud vendors need to innovate. "Everyday people are at risk and starting to get breach fatigue and quite frankly, severely irritated," the report authors wrote.