The cost of a data breach can be considerable, as has been clearly demonstrated by the hacking of TalkTalk. The hacking of the UK-based Internet service provider resulted in 157,000 customer accounts being compromised, with 15,656 bank account numbers and sort codes stolen by the hackers.
The group of hackers responsible for the security breach spoke to the media soon after and talked of the poor security at TalkTalk, and how easy it was to gain access to sensitive customer data. One of the hackers even said that in one instance, a three-digit password had been used to secure an account.
The hacking incident triggered a media storm which tarnished the ISP’s image and resulted in many customers changing ISP to one that was perceived to offer better security. As to how many customers have changed their mind about signing up with TalkTalk, that is unlikely to ever be known.
Soon after the discovery of the extent of the data breach, TalkTalk chief executive Dido Harding told the BBC that the company still expected its end of year results to “be in line with market expectations,” and that the data breach would likely result in one-off costs of between £30-£35 million.
However, the ISP seriously underestimated the fallout from the hacking incident, with the current costs now double the initial estimate at £60 million: Enough to make a noticeable dent in the company’s profits. That cost was broken down as one-off costs of around £45 million and a trading impact of £15 million.
The Cost of a Data Breach is Easy to Underestimate
The cost of a data breach is difficult to accurately calculate. It is possible to arrive at a reasonable estimate of the cost of breach resolution measures. The cost of implementing new security controls to prevent future cyberattacks is fairly easy to predict, as is the cost of mailing breach notification letters to customers. What it is much harder to estimate is the loss of business as a result of a breach of customer data.
TalkTalk took the decision to offer customers a free upgrade of services and told those affected financially be the breach that they would be free to leave without penalty. Since customers were not permitted to change without a cost if they had not suffered losses, many had to wait until their contract expired before switching provider. According to the latest figures, the company lost 101,000 customers as a result of the data breach.
The decision to offer a free upgrade of services proved to be a wise move, not only to prevent customers who had been affected by the data breach from leaving, but to convince other customers to stay. The free upgrade has reportedly been taken up by around 500,000 customers. Even with that upgrade, the company understandably experienced a higher churn rate, with many not choosing to renew their contracts when they came to an end.
The total impact on revenue was estimated to be around 3%, although the company appears to now be recovering with the churn rate having improved in the past two months. According to Harding, “Trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.”