This past July, I posted a blog regarding an insider attack on education services provider Benesse. At the time it was thought that up to 10.2 million items of personal identifiable information (PII) relating to children had been hacked. Now, two months later, it is becoming disturbingly clear that the reality is in fact much worse.
The damage to Benesse was already stacking up, but the hidden costs of the attack continues to be a burden weighing heavily both financially, operationally and organizationally.
Financial Statistics
- Original number of hacked data items: 10.2 million
- This has risen to 28.9 million
- July share price drop: 8%
- This has increased to approx. 19%, wiping nearly $700,000 off its valuation
- Original contingency fund: $20 million
- This has risen to approx. $137M with every customer receiving a ¥500 ($4.60) cash voucher
As a company that only reported (July 2014) a net loss of ¥13,637m ($128,000) and cash assets of ¥83m ($774,000) for the six month preceding period, the additional contingency fund (specifically associated to the Insider Attack) and loss of valuation is hitting the business hard.
Operations
At the time of the insider attack, Benesse were using an IT service provider who employed Masaomi Matsuzaki as a third party database management contractor. Benesse have since resolved to no longer outsource customer data operations to an outside company. They will set up a new joint venture with an information security service firm, but will retain the maintenance and operation of its data system.
Organization
Benesse management were reprimanded directly by the Industry Minister and remarks were made by the Chief Cabinet Secretary regarding the possible revision of the personal information protection law. Benesse have needed to act quickly and will now be appointing a new chief information security officer and a chief legal officer.
Summary
The financial penalties incurred have been severe, but could have been even worse if the stolen data had been used for malicious attacks and not only for marketing purposes. Benesse seem to have evaluated their shortcomings, regained control of their customer data and brought in new focus on security and compliance, which should be applauded. However, the breach will incur further costs and disruption to the business until new information governance policies and technology are integrated to protect and allow operational fluidity.
Adaptive Redaction functionality would have prevented Masaomi Matsuzaki from removing the 28 million+ records he stole. Whether he had tried to directly copy the information, hide it within an attachment or embed it within an executable file, the Clearswift Adaptive Redaction features would have removed the sensitive content and left Mr Matsuzaki with a smartphone containing only a worthless file of ‘*’s. This would have saved Benesse the $130 million plus (and growing) costs for this single attack on their customer data.