The Costs of Security Incidents

I’m always fascinated by reported figures and research statistics about the costs of security incidents. Generally they represent just the tip of the iceberg, because in practice you can’t nail down the lost sales, reputation damage and future legal claims that are directly attributable to the incident. Security researchers, most notably

the Ponemon Institute, have attempted to measure the costs of a data breach by analysing the total recovery costs, averaged across a number of real-life incidents. These figures suggest that the full cost of such breaches is likely to be as high as $100 to $200 per compromised customer account.

But real life rarely conforms to the projections of researchers and organisations can of course be very different in their scale, brand value and crisis response. So it’s interesting to note the unfolding claims and facts surrounding high profile incidents such as the recent data breach at TJ Maxx, which involved the nightmare scenario of a compromise of more than 45 million customer credit card details. Many analysts and pundits (including myself) were quick to speculate on the long term cost of this breach. Estimates of damages of the order of billions of dollars were suggested. Some security experts even thought they might be one of the first companies to be wiped out by a single security incident. So several months on, how has it turned out?

Well the costs are certainly significant. TJX’s second quarter results indicate that a figure of $130 million has been set aside so far this year to cover costs and potential liability. This is reported to include a staggering $11 million in security consultancy fees. By my reckoning that would buy you a security department several times bigger than the average Fortune 100 organisation. It’s not chickenfeed. But it is a long way from than billion dollar hit forecast by the pundits. And an organisation turnover measure in billions can easily survive a once-off hit of this size.

So after all, does the real, eventual size of the damage really matter? Probably not a lot in practice. Because a $100 million hit is more than sufficient to persuade Boards to take security very seriously indeed. And estimates of many further consequential damages, such as future lost sales, are largely academic, as they’re not measurable and will never be known.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Now that some time has elapsed, it would be interesting to see if there has been any relative drop in stock value compared to similar sized companies that could perhaps be attributed to said breach. However, seeming there's been a general downturn in retail it's going to be a tricky project. There's also going to be a period of x months after which customers will forget about the incident and lost sales return to normal. I'd say there's definitely been some brand damage, but then the kind of people that shop at TJ Maxx (bargain hunters and jumble sale freaks) are not the kind of people whom are going to be too bothered about credit card fraud and will happily take the hit and continue to shop there. Consequential loss due to lost sales? I'd say minimal. Results of lawsuit? Still a few years away... Visa/Mastercard fines? None, other than costs of card re-issue that was most likely capped at $500k as per merchant agreement.