The Home Depot discovered a data breach in September 2014 that affected customers who used a payment card at Home Depot from April 2014 on. Approximately 56 million credit cards were stolen. And it’s just been released that 53 million emails were also stolen. While the breach of email addresses may seem insignificant, it does open consumers up to targeted phishing attacks.
As Stephen Treglia, Legal Counsel here at Absolute Software, wrote earlier this year, this breach sounds like a modern fiction story: "Russia teen responsible for $62 million breach!” Unfortunately, this has been the reality. Home Depot’s breach has cost $62 million, with more costs likely to come. Insurance will only cover $27 million. For reference, Target’s (smaller) breach cost the company $148 million.
These figures paint a grim picture of the breadth and cost associated with data breaches, but they don’t necessarily lend any insight into the time it takes to recover from these breaches. Although some litigation can be avoided by offering credit monitoring, companies will still face tremendous and lengthy litigation proceedings. Organizations face litigation and class action lawsuits from customers, investigations and fines from a variety of state and federal agencies, litigation from banks, shareholders and others and possibly even criminal prosecution.
Home Depot is currently facing at least 44 lawsuits in the United States and Canada following its own breach earlier this year, with pending action yet to come from state and federal agencies, banks, shareholders and more. Aside from the direct financial costs of these investigations and legal proceedings, which could drag on for years, untold hours by Home Depot executives will be spent on the fallout. The lost time and focus are hard to quantify.
Organizations are bearing a high cost for these data breaches. More needs to be done to provide layered protections for data, wherever it resides: in use, in motion or at rest. And more needs to be done to detect these breaches quickly.
How will you add protections to your corporate data in 2015?