The cost of a data breach.. the TalkTalk experience

November 15, 2015 |

The data breach of the UK telco TalkTalk is throwing considerable light on how data breaches create reputational damages, can be difficult to quantify accurately early on and can have ripple effects on the organisation.  And how much they cost.  It has also highlighted the importance of a cyber response plan.

The initial concern was that the TalkTalk breach potentially affected all of its 4 million customers. A review has confirmed the impact as being:

Investigations by both TalkTalk and the Metropolitan Police continue, and further to our update on Friday 30th October we are now able to confirm which customers were affected:

  • The total number of customers whose personal details were accessed is 156,959;
  • Of these customers, 15,656 bank account numbers and sort codes were accessed;
  • The 28,000 obscured credit and debit card numbers that were accessed cannot be used for financial transactions, and were ‘orphaned’, meaning that customers cannot be identified by the stolen data.

As we have previously confirmed, the credit and debit card details cannot be used for financial transactions. The bank account details that were accessed are, on their own, not enough to take money from your account and are the same as would be found on a cheque. We have also contacted major banks to inform them of the affected bank accounts.

The chief executive of TalkTalk, Dido Harding during an interview with BBC and reported in  TalkTalk hack to cost up to £35m, has estimated the cost to the bottom line in one off costs as being up to £35 million. The problem is ongoing with a House of Commons investigating the breach.  That means ongoing reputational damage and heavy legal fees. Almost immediate financial strain.  The cost of this breach far exceeds the average cost of serious data breaches which according to a report by PwC earlier this year was on average more than £1.5 million with the upper range being £3 million.  In that survey 90% of large organisations reported a security breach.  The breach rate for small businesses was 74%.  The average period of disruption was 4 – 11 days.  Importantly the report concludes that the number of breaches and the unit cost of breaches are increasing year on year.

The article provides:

The cyber-attack on TalkTalk could cost it up to £35m in one-off costs, the company has said.

Following the hack, which divulged some users’ financial details, all customers of the telecoms group will be offered a free upgrade.

Chief executive Dido Harding said that despite the hack, TalkTalk was “well positioned to deliver strong and sustainable long-term growth”.

The firm expects full-year results to be in line with market expectations.

TalkTalk shares had jumped more than 13% by the close of trade on Thursday, but were still down more than 20% compared with their pre-hack value.

Speaking to the BBC, Ms Harding said: “The estimated one-off costs are between £30m and £35m – that’s covering the response to the incident, the incremental calls into our call centres, obviously the additional IT and technology costs, and then the fact that over the last three weeks until yesterday our online sales sites have been down, so there will be lost revenue as a result.”

Upgrade or leave?

She added that in recognition of the uncertainty that this had caused customers, they would be offered an upgrade.

A spokesperson said the type of upgrade offered would depend on the kind of package customers already had. For example, customers with TV packages might be offered a sports channel that they did not already have.

Customers who were financially affected directly will be free to leave TalkTalk without financial penalty. They would have to be able to show they had lost money as a result of the hack.

Customers who wish to leave for a different reason – for example, if they feel their data is not secure – would still have to pay a contract termination fee.

Analysis

Small print matters. Some of TalkTalk’s millions of customers might have been angry enough to try to terminate their contracts when the telecommunications company first revealed details of a major data security breach last month.

But, with contracts for mobile, fixed line, broadband and television services of up to two years (always worth looking at those few lines at the bottom of the paperwork) customers found they couldn’t leave TalkTalk without incurring hefty costs.

When Dido Harding, the chief executive, first announced two weeks ago that customers would only be able to leave if they could show a “direct impact” on their bank account – a pretty high bar – investors heaved a sigh of relief and TalkTalk’s share price bounced up.

It was up again this morning – by more than 12% – as the half-year results revealed that TalkTalk was still expected to make £300m profit before tax this year. And that revenues were up 6%.

On 21 October, hackers attacked TalkTalk’s website, stealing confidential customer data.

The firm was initially uncertain as to the extent of the hack, but after an investigation it said last week that 157,000 of its customers’ personal details had been accessed.

More than 15,600 bank account numbers and sort codes were stolen. Four people have been arrested and bailed in connection with the hack.

Ms Harding told the BBC that it was “too early to tell” what the longer-term impact of the breach would be on the business.

“We of course saw an immediate spike in customers cancelling their direct debit, but actually after a few days we saw many of those customers reinstating their direct debits again, so time will tell, but the early signs are that customers think we are doing the right thing,” she told BBC business editor Kamal Ahmed.

Paula Barrett, a partner at law firm Eversheds, said preventing cyber-attacks costs money, but not preventing them costs more.

“Today’s announcement reinforces how significant the cost impact of this sort of event can be. There can be a very long cost tail to these scenarios, which may run for years as new systems and processes have to be adopted and claims handled,” she said.

An interesting twist in the TalkTalk breach is that a 15 year old who has been accused of being part of the breach has sued the media for a breach of privacy and obtained injunctions against Google and Twitter to remove that person’s name, address and images etc.. This curious episode is reported in Boy arrested in TalkTalk probe sues three papers for breach of privacy.

One Response to “The cost of a data breach.. the TalkTalk experience”

  1. The cost of a data breach.. the TalkTalk experience | Australian Law Blogs

    […] The cost of a data breach.. the TalkTalk experience […]

Leave a Reply