The True Cost of a Data Breach

The Target breach has impacted countless millions (now over 100 million and counting) but the headaches for Target are just getting started. The untold inconvenience to customers is mounting.

Yet, Target (and now Neiman Marcus and soon more to come) are victims too. They have been diligent in their efforts to have a defense in depth strategy. "Detect and defend” is the industry norm working to balance ‘threat’ risk to ‘business’ risk. They have spent millions on the PCI standard to limit their exposure, and to have this happen to them they must be asking “How can this happen to us? We spent millions on PCI certification from a reputable vendor, and this still happened to us! How?”

At Cylance, we believe in REAL prevention. Stopping the execution of malware before it can even initiate. We have over 500 years of combined experience in the security field as thought leaders, practitioners, developers and expert consultants . This is significant considering the cybersecurity industry really is only about 20 years old (looking back to the early 90’s with the first antivirus products and firewalls). When looking at numbers - they matter! Both for the companies trying to defend themselves and the security vendors who attempt to protect them.

Thus, let’s take a look at the metrics that go beyond brand impact, customer trust, and general inconvenience. Let’s look at how companies are impacted…and this is not specific to retailers.

Target originally reported 40 million accounts that were compromised, which has since been revised to 100 million:

  • Target has revised their 4th Quarter earnings per share down by 25% from a high of $1.60 down to a low of $1.20. That’s HUGE for their biggest Quarter of the year.
  • With 632 million shares…that’s $252 million in value alone…just this Quarter. Expect more in future Quarters, which they have not addressed.
  • Target was also expecting a sales increase of 1-2%, which is now likely to come in at -4%. That’s a sales swing of almost $1 billion on their 4th Quarter revenues from last year.
  • Industry estimates put the cost of bank card cancellation and reissuance at $100/card. That’s $4-10 Billion additional cost to Target, the financial institutions who create/issue the cards, mailing, identity theft services, credit monitoring, etc. depending on how many accounts were actually affected.
  • While likely high, the single estimated total costs for a breached account are $200 per account

If 100 Million people were affected - just for Target potentially that’s a $200 BILLION impact. This is not all stock price valuation. Humans, and particularly Americans have a short term memory and generally love to gamble. Thus, Target stock will be bought on the dip and held until people forget.

Also, while some organizations benefit (i.e. the plastic manufacturers, middlemen, and others who sell cards to the financial institutions, some security vendors), this has a tremendous negative impact to victimized organization and its downstream individuals.

Let’s look at a few other impacts Target is going to have to make:

  • Identifying Root Cause
  • Identifying resources for troubleshooting
    • Resources include (as an example):
    • 1) Help Desk Personal
    • 2) Incident Management teams internal to regulate and steer the calls
  • External Incident Response consultants to help in the speed and detail of rectification
    • 1) Resources which could vary depending on the condition of the issue and its severity to the enterprise may include:
      • Technical
      • Management
      • Consulting
      • Legal
      • Finance
    • 2) Involvement of Vendors who’s technologies failed to trace down the issues and troubleshoot items
    • 3) Log captures and wait times for review and analysis
    • 4) Man hours spent in resolution, while other important items wait pending availability of the man hours
    • 5) Business Continuity impact overall to management, staff, clerks at stores, etc.
  • Reimaging thousands of computers
  • Upgrading thousands of POS machines
  • Backup and storage of all data
  • Forensics experts tools, products, people, time
  • Legal lawsuits both individual and class action from impacted people and organizations.

Other non-financial impacts that become difficult to quantify:

  • Brand Reputation
  • Loss of purchasing trust
  • Possibility of regulatory PCI Compliance issues

This paints a bigger picture of cybersecurity and why it is so important to prevent rather than to respond to threats. At Cylance, we know the industry is riddled with technology and processes that are necessary, but unfortunately all too insufficient for today’s threats.

Other resources you can check out yourselves:
http://www.transvive.com/uncategorized/true-cost-data-breach
http://www.theepochtimes.com/n3/427830-the-true-cost-of-cyberattacks-on-companies/

Greg Fitzgerald
SVP of Marketing
Cylance, Inc.