The consequences of a data breach: why fines are just the tip of the iceberg

When it comes to the true ramifications of a data breach, suffering a financial penalty imposed by the ICO is just the tip of the iceberg. Although significant, fines are only one aspect financial organizations have to deal with as part of the aftermath. We saw the media frenzy that surrounded the Capital One data breach, and most of us heard when First American exposed 885 million sensitive financial records online. As a result of these breaches, the reputational damage suffered by these companies was significant and, with no ‘quick fix’ available, research suggests that striving to rebuild the commercial trust between stakeholders after a data breach is one of the most difficult a company must overcome, regardless of its revenue.

In the case of the First American financial data breach, customers’ social security numbers, driver's license images, bank account numbers and statements, mortgage and tax documents, and wire transcription receipts were exposed and visible to anyone who knew the modified URL. With this link, business email compromise scammers had an endless supply of phishing templates to use and cybercriminals had access to an abundance of information of upcoming real estate financial transactions, email addresses, names, and phone numbers of estate agents and buyers. This example clearly demonstrates that as well as the obvious monetary loss to an organization, which according to IBM’s 2019 report now costs an average of $3.92 million, data breaches have a far wider and longer term impact.

Operational disruption

From the moment an organization suffers a data breach, operations are heavily disrupted. In a financial organization, this can have catastrophic consequences. Depending on the severity of the breach, it’s likely the forensic team will want to discover what has been stolen and how. This process can take time and operations may be shut down until answers are found. The longer operations are down, the more revenue is lost. And it’s usually not just one department or part of the company that’s impaired by a breach – the whole organization suffers.

As it’s no longer the case of if an organization suffers a breach but when, it’s vital that financial organizations not only have processes in place to mitigate an attack but have plans for what to do and how to communicate when an attack occurs.

Reputational damage

Research has shown that up to a third of customers in financial institutions will stop doing business with organizations that have suffered a data breach. Worse still, 85% of customers will likely tell others about their negative experience, with 33% using social media and 20% commenting directly on the company website. And it’s not just customers or suppliers whose perception of the company suffers after a data breach. When employees have their personal data lost, they’re likely to lose trust in their employer. Morale can be damaged by a breach where employee data is impacted, with 48% of employees believing their identity has remained at risk years after a single data breach. Organizations should view employee data to be equally valuable as customer data and subject it to the same security measures; cybersecurity strategies need to protect the organization’s entire data store.

Our Adaptive Data Loss Prevention (A-DLP) solution provides organizations with automated redaction and sanitization of sensitive and hidden data. It applies the optimal security treatment based on content, context and required regulation policy ensuring that all critical data is protected, no matter what it concerns. This ensures that information flowing inside and outside the company remains secure, and helps employees feel that their employer is doing its upmost to protect their personal data.

Failure to prepare is preparing to fail

Earlier this year, we published research showing that high-profile fines had the greatest impact on board-level involvement and cybersecurity spending plans within UK financial organizations. While both are positive outcomes, it is worth remembering that a fine is just one consequence an organization suffers after a data breach and, as we’ve illustrated above, other consequences can be just as damaging if not more so due to the time it takes to recover from them.

With 70% of financial organizations reporting a data breach within the last 12 months, there’s much financial organizations can do to mitigate the risks and limit the damage. This includes leveraging technology as a safety net to protect data and creating an incident response plan so that when an attack occurs, the organization is prepared to act quickly in response.

Additional reading

Clearswift Adaptive Data Loss Prevention

How UK finance companies invest their security budget

Cyber security and the finance sector: the need for stronger data protection capabilities

Cybersecurity training for staff: getting it right