What may be one of the biggest data breaches of all time occurred at marketing firm Epsilon. But it’s the company’s clients, such as Best Buy, JPMorgan, TiVo, Walgreen, and Kroger, who will end up paying the price.
Hackers accessed millions of names and email addresses through Epsilon, a Dallas-based firm that manages email lists for major retailers and banks.
“I would not expect Epsilon to lose significant amounts of revenue,” says Larry Ponemon, the chairman of the Ponemon Institute, a research institute in Traverse City, Mich., that publishes an annual study on the cost of data breaches. But “the companies that use Epsilon … they may actually see a loss of customer goodwill.”
A loss of goodwill could make it harder for a company to retain existing customers and acquire new ones. Even when the breach was caused by a third party and is not disastrous — this one involved e-mail addresses, not customers’ financial information — it can create the same level of ill will toward a company that a serious breach would.
When a company notifies a consumer of a data breach, most don’t read beyond the first couple of sentences, a 2009 Ponemon Institute study found. “They’re not going to read the fine print,” Mr. Ponemon says.
Immediate damage control isn’t cheap either — companies have to devote manpower to figuring out which customers are at risk, notifying affected customers and handling a high volume of calls from customers.
The costs of data breaches are skyrocketing, says a Ponemon study published last month. The cost of a malicious attack for each compromised record rose from $103 to $318 from 2009 to 2010. Breaches by third-party outsourcers, like the Epsilon breach, are becoming less common but more expensive, with overall occurrence down 39 percent and the cost of each compromised record up $85 per record to $302.
The breaches included in the study were of a substantially smaller scale than the Epsilon breach, so the numbers in the study may not apply to massive breaches.
In light of the the breach, companies will also have to reassess their security, and that kind of examination can be costly, says Noa Bar-Yosef, the senior security strategist at Imperva, a Redwood Shores, Calif.-based data protection company. “They need to start thinking about security for the sake of their customers.”
An exposed email address may seem innocuous, but each one is associated with the company from which the customer already gets promotional emails. The combined knowledge gives hackers bait for easy phishing — a type of online fraud. For instance, a Best Buy customer may receive an e-mail that appears to be from Best Buy but is actually loaded with software that can steal information from his computer.
There are two basic causes of a data breach, says Ponemon: Companies are negligent and cyber-criminals are getting smarter.
“There is no question that we’re seeing bolder, smarter, more stealthy cyber-criminals,” he says.