Epsilon Data Breach Could Cost Billions

The recent high profile data breach at email marketing services company Epsilon could end up costing the company as much as $4 billion (£2.4 billion), according to a recent report.

Epsilon will face years of repercussions, up to $225 million (£136 million) in liabilities and $45 million (£27 million) in lost business, cyber-risk analytics and intelligence firm CyberFactors said in a report released 29 April.

The report broke down costs for forensics audits and monitoring, fines, litigation and lost business for Epsilon and its affected customers in a three-year outlook.

High Profile, High Cost

The total cost of the Epsilon breach could eventually run as high as $3 billion to $4 billion, given that compromised email addresses could be used by hackers and phishers to gain access to sites that contain consumers’ personal information, according to CyberFactors. This figure includes costs to Epsilon, its customers and the individuals whose email addresses were stolen. Until a spear phishing campaign that can be directly linked to the breach occurs, the estimate remains “theoretical,” according to the report.

“Cloud companies would be wise to think more like banks, insurance companies and hedge funds, and not just aggregators of the world’s precious data and technology dependencies,” said Regina Clark, research and analytics director for CyberFactors.

The company disclosed 30 March that attackers had breached its databases and stolen email addresses for two percent of its customers, which included major names such as Best Buy, Citibank and the Walt Disney Company. Epsilon has not revealed the number of affected consumers or the number of email addresses stolen.

Despite Epsilon’s claim of two percent affected customers on an April conference call with analysts, it was more likely that the breach involved 75 companies, or three percent, of the company’s client roster, according to the CyberFactors report. The repercussions, which include notifying customers and changing marketing strategies, would wind up costing $412 million (£250 million). Combine that with liabilities, and Epsilon is looking at an aggregate cost of $637 million (£386 million), or more than half a billion dollars, for an email database.

Ed Heffernan, CEO of Alliance Data had projected no “meaningful” costs or liability related to the incident.

Risk Environment

Each customer will likely face $5.5 million (£3.3 million) in costs, which would include notifying consumers, settlements and legal fees, compliance costs and loss of business.

CyberFactors “conservatively estimated” the number of compromised email addresses at 60 million. The analysis assumed that the affected Epsilon customers had roughly equal numbers of emails compromised.

Epsilon will likely be paying for the breach for years, as 51 percent of the costs will be incurred in year one, 42 percent in year two, or 2012, and seven percent in year three and thereafter.

“The Epsilon event suggests a much more profound financial risk environment is now upon us,” Clark said.

Epsilon, and its parent company, Alliance Data Systems, are understandably concerned about losing customers as a result of the breach. The “vast, vast majority, if not all” of the clients would stick around, Heffernan had predicted after the breach. CyberFactors said it was more likely that Epsilon will lose both current and potential customers scared away by the news.

Loss of revenue related to customer churn could range from $6.1 million (£3.7 million), if only one percent of customers moved their business elsewhere, to more than $30 million (£18 million) if five percent of the customers left, according to the report.

The economics of business risk for cloud providers and their customers can no longer be ignored and cloud vendors need to innovate. “Everyday people are at risk and starting to get breach fatigue and quite frankly, severely irritated,” the report authors wrote.