In October 2015, hackers compromised the Website of British telecommunications firm TalkTalk, likely using one of 11 known vulnerabilities in the site to steal the personal details of 157,000 customers, including bank-account information on more than 15,000 people.
Earlier this month, the bill for the lapse in security came due: The company saw its profits decline by more than half in the first quarter of 2016. In its annual report released in February, the company revealed that it lost 95,000 subscribers and attributed more than £55 million (US$80 million) in losses to the hack, including the “exceptional costs of restoring our online capability with enhanced security features, associated IT, incident response and consultancy costs, and free upgrades” that the company offered to retain customers.
TalkTalk is the latest company to suffer significant lost business following a breach. While past analyses have found that breaches have not hurt companies’ long-term stock price, businesses and their management are increasingly being called to account for significant recovery costs and lost business following successful cyber-attacks.
“The fact that we are moving into a period where people are being held liable says a lot,” said Chris Novak, a director of the RISK computer investigations team at business-services firm Verizon Enterprise. “The impact is moving up the stack. It is no longer just an IT-level issue, it is a board or C-level issue.”
Yet it may not be enough. While the sacking of CEOs has certainly drawn the attention of executive teams and boards, the financial penalties of breaches tend to be short-lived and easily subsumed by most large companies. When hacker Albert Gonzales stole information on nearly 100 million credit and debit cards from Heartland Payment Systems in 2009, the company lost more than 75 percent of its stock value in three months. Yet the price bounced back, and now its stock is up nearly 500 percent since that time.
Following its 2013 breach, Target paid out more than $252 million, of which $90 million was reimbursed by insurance. While seemingly a large sum, the damages only amounted to 0.1 percent of the company’s 2014 sales, Benjamin Dean, a fellow for Internet governance and cyber-security at Columbia University’s School of International and Public Affairs, pointed out in an article last year.
And, in spite of the $80 million in losses, TalkTalk’s breach costs only cut into profits and did not result in an overall fiscal-year financial loss for the company. In fact, the company’s efforts to provide customer incentives resulted in churn reaching an all-time low in the last quarter of 2015.
Overall, the losses are not enough to drive companies to spend appreciably more on security, Lillian Ablon, cyber-security and emerging technologies analyst at RAND, told eWEEK.
“Sure they feel the pain, and some stock prices have gone down, but no one has really felt a lot of pain,” she said. Part of the problem is that consumers may be tired of the repeating pattern of breaches and not sure what they can do to change corporate behavior, Ablon said.
Huge Data Breach Losses Aren’t Forcing Companies to Bolster Security
In a recent survey, RAND found that only 11 percent of consumers stopped doing business with a company because of a breach.
“I have often wondered why consumers are not up in arms—because their information is out there, it is so easily taken,” Ablon said. “I think it is because consumers are not feeling the hurt. Identity theft is pretty small in terms of financial impact.”
The result is that half of companies are not increasing their spending on security, according to a 2015 report by the Ponemon Institute and funded by security services provider Dell Secureworks. Of the other half, about two-thirds plan to increase their spending in the next two years and the remainder will dramatically increase their budgets.
“Despite the increase in well-publicized security breaches, IT security investments are not get- ting the board’s attention and support,” the report stated.
While large companies can absorb the impacts of a breach, small companies generally run the risk of being put out of business by a significant compromise. While a breach of personally identifiable information is not known to have led to the direct failure of a company, other types of compromises have resulted in businesses being shut down. Code repository Code Spaces, for example, closed its virtual doors after a hacker took control of its Amazon control panel, deleting all the servers, when the owner refused to a pay ransom.
“Small companies are based more on relationships, and … they tend to be more directly impacted than the large firms,” Verizon’s Novak said.
Two trends, however, will raise the stakes for both breached companies and their victimized customers.
First, information that is not easily changed or replaced, such as Social Security numbers, is increasingly targeted by hackers. In 2015, for example, nearly 165 million records containing Social Security numbers were compromised in 338 breaches.
In contrast, less than 1 million records involving debit or credit cards were exposed in 2015. The previous year saw far more credit cards exposed: some 138 breaches resulted in information on nearly 65 million cards stolen by hackers, according to the Identity Theft Resource Center.
The second trend is that companies are collecting more and different kinds of personal information about their users. For example, home video cameras frequently connect to a cloud service to store video. Attackers could easily gain information on consumers through a breach of such a service. Other devices that are part of the Internet of things—from heart monitors to GPS-enabled trackers—will only accelerate this trend.
“Now, you are getting into the area, where all this stuff is getting really personal because of everything [that is] connected all around us,” Verizon’s Novak said. “The exposures will become much more serious, and I think you are going to see that consumers are going to care a lot more.”