Unfortunately, each week the news headlines present a new data breach. While the immediate news is disheartening to the consumer, organizations must contend with the short and long-term consequences.  In addition to the immediate costs associated with an incident, this article will highlight the additional financial and operational repercussions of a data breach.

Following a series of high-profile, high-value breaches, certain observations and trends are emerging.  The following are examples of business trends affecting companies that recently were victim to a cyber attack. Most of these cyber attacks were due to point-of-sale (POS) attacks.

Increase in Boards of Directors Attention

Company’s Boards of Directors are more serious about the protections they have in place to protect their networks and digital assets. Companies that have been breached dedicate more time and resources for cyber security, specifically the IT budgets which are now reaching 6-15% of a company’s total budget.  In many cases, Boards are instructing their companies to conduct risk assessments, penetration testing, and threat assessments in order to align budgets with company IT risks. In fact 70% of companies surveyed in an IANS study[1] indicated that they are using risk assessments to drive their IT security budgets. The top IT security priority for companies is to improve the network security, followed by maintaining compliance, and then implementing advanced threat detection and protections. In addition, Boards and C-Suites are playing close attention to and learning the nuances between compliance and security, introduction of new technologies into the company, implications of breaches, and incident response capabilities.[2]

Change in Leadership and Organization

Target’s breach continues to redefine cyber security and incident response, in particular the attention on management’s role in cyber security. Target’s CEO resigned due to the breach, and almost six months following the attack, Target replaced its CIO.[3] Not to mention the significant pressure placed on Target’s Board of Directors: “A proxy firm, Institutional Shareholder Services, had recommended that investors oust seven board members. The firm said the board failed to protect the company from last year’s data breach.  The board members were able to convince shareholders to re-elect them, however, although the message to them was clear that future data security breaches were considered to be their responsibility”.[4]

The impact of the eBay breach provides a case study in a change in organization.  PayPal will split from eBay this January.  According to reports, PayPal’s size grew 2% beyond predictions this past quarter to 29% percent.[5] eBay on the other hand, missed its estimated sales target. The consequences of the data breach extends well beyond the immediate financial costs of recovery.  The change in leadership and company organization highlights the long-term, strategic repercussions of a breach.

Decline in Sales and Profit

On October 16, SUPERVALU announced a 23% decrease in their quarterly earnings. The second quarter profit fell from $40 million to $31 million dollars, with $1 million covering the immediate cost of the breach.[6] This decline in profit, according to the supermarket chain, is directly linked to the recent data breaches. The news of a breach comes to SUPERVALU when the grocer is facing competition from other stores and consumers become more “cost-conscious”.

Another prominent example was Target. Following their widespread breach, profit declined by 46%.[7] This decline is due to the overwhelming number of lawsuits, investigations, credit monitoring, and call centers to field customer inquiries. The direct expenses associated with the breach cost Target $148 million.[8] Other significant business decisions took place in light of the breach with cascading financial consequences.  For example, Target decided to reduce the stock buybacks to $1- 2 billion from a projected $4 billion.[9] Plus, they discounted much of their merchandise to keep their customers buying.

Target is a large company and indicated that they had the resources to absorb the costs, which calmed investors’ worries, but didn’t change the ultimate financial reality. According to the Wall Street Journal, “Target’s shares rose $3.98, or 7%, to $60.49 on the New York Stock Exchange. […]  Wednesday’s gain left the company’s shares 4.8% below where they were before Target disclosed the breach on Dec. 19”.[10] A contributing factor to Target’s decline in earnings was related to a push into the Canadian market.

This past May, eBay announced a breach that captured encrypted passwords and other data.[11] To execute the attack, the attackers gained the login credentials of eBay employees. Using this information the attackers obtain customer names, email addresses, physical addresses, phone numbers and birth dates. As a result of this breach, customers, not surprisingly, decided not to shop on eBay. So, that means that the small business that rely on eBay to sell products were greatly impacted. According to a small business owner, who conducts 70% of business transactions via eBay, the breach “changed everything overnight”.[12] In one weekend, the business owner lost $5,000 in sales. In order to redirect consumers back to eBay, additional resources are being directed to marketing initiatives; however, only two-thirds of eBay users have reset their passwords, per eBay’s counsel and “Google Inc. changed its search results, curbing visits to eBay’s website from potential shoppers”.[13] Needless to say, eBay and the business that rely on eBay are in for a long road ahead to recovery.

As for the hard numbers, eBay and its shareholders must deal with:

  • Net income in the third quarter fell 2.3 percent to $673 million, or 54 cents a share, from $689 million, or 53 cents, a year earlier.[14]
  • The shares of EBay fell 4.7 percent to $47.88 at the close in New York. The stock is down 13 percent this year.[15]

Preventative and Cautionary Advice for Businesses

Unfortunately, when it comes to a data breach, it is not a matter of ‘if’ but a matter of ‘when’ your organization becomes a victim, regardless of the sophistication of the technology security in place.  However, there are actions that can reduce the impact:

  1. Set up an IT working group or council with members from across your organization to discuss the IT risks that affect the entire enterprise.
  2. Host a leadership discussion on the value of cyber insurance or self-insuring
  3. Conduct tabletop exercises simulating a cyber incident response.
  4. Routinely benchmark your technology, policies, and procedures against similar organization to evaluate one’s security posture.