We have been covering cyber security breaches and their financial costs for several years. But beyond strict fines meted out to organisations whose customers’ details are forcibly taken – what about those who sell this information on willingly? There is the cost to company reputation, additional to any fines which also needs to be considered when calculating the real cost of any cyber security breach.
Pharmacy2U, the UK’s largest NHS-approved online pharmacy, was fined £130,000 this week for selling information collected about its own customers to 3rd party marketing companies. The ruling was simple; the online drug seller had not obtained permission from customers that their data could be sold on in any form. Pharmacy2U has apologised, calling the sales a “regrettable incident”, However the impact to its reputation will be a lot larger than the penalty from the Information Commissioner’s Office (ICO).
This week also saw Sony agreeing to pay up to $8m in compensation to its employees over the loss of their personal data in the 2014 hacking scandal surrounding the release of the film The Interview. The story which we covered back in December 2014, Sony Picture Entertainment found itself the victim of a large scale cyber-attack with unreleased films leaking, in addition to personal data of 47,000 people employed or associated with Sony. The $8m settlement still needs approval but sees Sony paying to reimburse current and former employees for losses, preventative measures and legal fees relating to the incidents.
In a further twist, this week saw the disclosure of a Sydney-based professional service business which is seeking to remain anonymous after having been infected by ransomware. The malicious software found its way onto their system after an infected zip file from a client was opened. The virus then worked its way through their organisation locking everyone’s documents and with users being directed to a website asking for a ransom to unlock the files. The company decided that instead of paying the ransom, they would wipe the data and recover it from their backup server. The problem with this plan was that even though all their backups which were supplied by and assured by their outsourced IT supplier as being okay, when they attempted to recover from the backups it was discovered that these had in fact been failing for some time and more than seven months of company data was lost. The business has since undertaken the tedious and time consuming task of recreating this data from emails and attachment. This has cost the business A$10,000 in man hours alone for the rebuild, but the cost in terms of damage to reputation remains hard to quantify. In reference to the original ransomware price (currently unknown), the MD stated, “I might just pay next time”.
With the increasing costs to business resulting from cyber-attacks and a growing appetite for protection, many companies will be investigating cyber insurance, but even this is an emerging market which has its limits and will not cover all ultimate costs. For example, it could be difficult to get a pay-out due to the often vague definition of business disruption – and cyber insurance does not cover the all-important reputation costs. Cyber insurance can give peace of mind on large pay out fees but it cannot protect reputation and is simply not a substitute to heightened network security, employee training and regularly tested backup strategy.