Major cyber security breaches capture headlines when they occur – the type of headlines company’s want to avoid. But the financial and reputational damage lingers long after those initial headlines. Kevin Taylor, looks at the long-term repercussions of some high-profile cases.
Back in late 2013, American retailing giant Target suffered what was then thought to be one of the largest corporate data breaches in history. The personal details of more than 70 million consumers were compromised in the attack – including the financial data of as many as 40 million people.
More than a year after that breach, a class action law suit in St Paul Minnesota resulted in Target being asked to put aside $10m as compensation for those consumers affected.
Shortly afterwards, Target thought it had agreed a settlement with MasterCard for its losses of $19m in compensation. However, several banks associated with the card company rejected that figure and, at the end of 2015, a final settlement was reached and reported to be some $39m. Furthermore, at around the same time, Target also reached a compensation deal with Visa – and this one chalked up another $67m.
As if all that wasn’t bad enough, that original judge in Minnesota even delivered the embarrassing ruling that Target had to up its cyber security game – largely based on the fact that the company was aware of the hack back in 2013 but initially choose to ignore it. In the immediate aftermath, Target would also let 1700 employees go, and close 133 stores.
Think that might be the end of it? No. This month, four years on from the original breach, Target is still paying for the consequences and making headlines. A case led by the Attorney Generals of Connecticut, Illinois and New York, has seen the company agree to pay a settlement of $18.5million to some 47 US states and the District of Columbia. In fact, with legal fees and other costs, conservative estimates now put the total financial cost of the data breach to Target at somewhere in the region of $250million. And who is to say the saga has finished.
The Target breach occurred when the hackers took advantage of the poor security of a third-party vendor to access the company’s network. After that, it becomes almost an object lesson on what not to do – neither addressing the cause of the breach, nor the fallout from it, straightaway. Four years on the company is still paying the price – both financially and in reputational terms.
But if you want an example of how to really mess up the handling of a cyber security breach, then look no further than Yahoo! – A company for whom the exclamation mark could have been invented.
Last year, over a tortuous few months news leaked out that Yahoo! had suffered several different attacks. Revealing, in 2016, that a “state-sponsored” attack had affected some 500 million users seemed bad enough. But in July last year, in a filing to the Securities Exchange Commission (SEC), Yahoo! admitted that it had first noticed that breach way back in 2014 – a full two years earlier.
Things couldn’t get worse for the company could they? Yes they could, because just a few months later the company had to admit that it had now uncovered an even earlier breach of its security which had compromised the accounts of some one billion Yahoo! users. Here’s what the company told the SEC:
“Based on further analysis of data by forensic experts, we believe an unauthorised third-party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft.”
I’m not sure what’s the worst thing here – knowing there has been a breach and keeping quiet about it, or not even noticing that one has happened until more than three years later. The full financial fall-out of these hacks is yet to emerge – except in one area, and that is in terms of the company’s value.
Because news of these data breaches emerged at just the time that Verizon was pressing ahead with its acquisition of Yahoo! – and a cool $350million was wiped off the price when the companies finally reached agreement. Indeed, at one point Verizon was angling for something closer to $900million off the asking price.
In the aftermath of the emergence of the theft, Yahoo! was busily advising its customers to change their passwords and check for unusual transactions. Three years after the theft, that seems very much to be a case of shutting stable doors after the horse has bolted.
What both these cases show is that while the immediate headlines are damaging, the long-term ramifications are much worse. The compensation cases drag on, the story refuses to go away and a company’s name becomes forever associated with words such as ”hack” or ”data breach”.
In the event of an attack, companies have a duty of care to inform any customers potentially affected as soon as possible. To provide guidance about the security steps that customers should immediately take. Further, from a technology point of view companies need to know how they will shut down their systems to combat the breach and ensure their back-up systems mean they can roll-back the clock to a time on their network that pre-dates the attack.
How prepared you are for an attack, and how you deal with it when it occurs, matters – as the judge in the Target case has shown. It can limit losses, restrict compensation and help to mitigate against reputational damage. Going forward, companies need to invest not just in stronger cyber security, but also to train their executives in how to respond to breach.