denisismagilov - Fotolia
Canadian personal and business financial services cooperative Desjardins has revealed that it spent the equivalent of $53m or nearly £44m in the second quarter related to a data breach earlier this year.
The data breach, reported in June 2019, exposed data for approximately 2.9 million members including individuals and businesses.
The breach was blamed an “ill-intentioned employee” who was subsequently dismissed for disclosing the data “to individuals outside Desjardins without authorisation”. Dejardins said the company was not the victim of a cyber attack and its computers were in no way breached.
However, it has not specified what customer data was accessed and who it was shared with, according to SearchSecurity. The company said only that account passwords, security questions and personal identification numbers (PINs) were not exposed.
Desjardins said it “introduced additional monitoring and security measures” to protect customer information and sent a letter to all members affected by the incident and offered all affected members accredit monitoring plan and identity theft insurance with Equifax for five years.
In addition, on 15 July 2019, Desjardins Group announced all its members were automatically protected against identity theft.
“The expenses related to costs incurred and the establishment of a provision with respect to the implementation of these protections for our members, totalling C$70m, have been recognised in profit or loss in the second quarter of 2019,” the company said in its latest financial report.
Read more about data breaches
- Most ICO data breach reports late and incomplete prior to full GDPR implementation, FoI request data reveals, raising doubts about breach prevention, detection and response capabilities
- Data breaches in Australia show no sign of abating.
- Data breaches affected more than a billion people in 2018.
- UK consumers threaten data breach backlash.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said the second-quarter cost is likely to be the start of financial losses and spiralling spending that will likely last for years.
“Most businesses foreseeably downplay data breach losses, omitting vital components of the inflicted damages in their calculations,” he said.
According to Kolochenko, individual and collective lawsuits initiated by the victims, even if settled with comparatively “scanty compensation” afterwards, usually end years after the breach.
“Penalties and regulatory fines imposed by the governments, often in different countries thereby aggravating the costs, likewise are not of an immediate nature,” he said.
“Last but not least, the ongoing reputational damage and loss of business is frequently incremental, but somewhat imperceptible. Most customers and partners won’t resign their contracts with a hacked company immediately after the incident for a diversity of practical reasons, though they will undoubtably have less intention of renewing their contracts afterwards.”
Cyber security insurance is one possibility that organisations should explore to handle data breaches, said Kolochenko.
“However, given the emerging nature of this market, it’s a slippery slope and insurance contracts should be meticulously revised by a trusted law firm and cyber security experts for mushrooming exceptions and waivers,” he said.
Read more about cyber insurance
- More than one-fifth of UK firms have been impacted financially by cyber attacks, yet potentially more than three-quarters of companies polled have never been insured for cyber-related losses.
- Cyber insurance offers financial protection against the worst happening to a company’s data and digital assets, and is something few businesses can afford to be without.
- The adoption of cyber insurance is expected to grow, but one in three companies still are not sold on the benefits, a survey shows.
- Collaboration across the cyber insurance, technology and security organisations in London could make the capital a leading world centre on these topics, says former Lloyd’s of London boss.