The Enterprise-Level Collateral Damage of a Credit Card Data Breach

Much of the public discussion on cybersecurity and compromised identities has centered on consideration of a credit card data breach – to the point where the public barely raises an eyebrow over new incidences. And indeed, most credit card issuers have become very efficient at detecting fraudulent activity over the past few years so that the effect on end-users has been greatly minimized. However, to this point there has been almost no public discussion on the SMB and enterprise-level collateral damage of such incidences.

Wendy’s is the Latest to Suffer a Credit Card Data Breach

Credit Card POS System Reader - Credit Card Data BreachIn what may be one of the largest credit card data breaches in history, Wendy’s has now admitted that 1,025 locations were infected with malware that attacked the store’s point-of-sale systems. The infiltrators were able to collect cardholder names, card numbers, expiration dates, and verification information. The number of individuals impacted by the incident are yet unknown. However, Wendy’s is now embroiled in at least two lawsuits initiated by credit unions related to the extraordinarily large number of credit and debit card fraud claims since announcement of the theft earlier this year – highlighting the reality that other SMBs and enterprises are exposed to collateral damage as a result of a hack. Beyond the increased liability that financial institutions face, here are a few potential forms of SMB and enterprise-level collateral damage:

  • Credit Unions and Smaller Card Issuers Financial Fallout: The cost to credit / debit card issuers after a cybersecurity incident is significant, including notification of the card holders, issuing new cards, and providing upgraded credit / fraud monitoring for the affected accounts. Then there are the endless customer service calls – at a cost of $20 or more each time the phone rings. Large institutions (those with assets in excess of $1 billion) have economies of scale that can drive down the per-unit costs. But community credit unions and smaller card issuers experience a significant drain on their financial and other resources.
  • Customers Fail to Renew Unused Subscriptions: Monthly subscription fees for services are a significant revenue stream for many companies. Regardless of whether or not the customer uses his Netflix, Zipcar, or Spotify subscription, the company that sold the subscription charges the customer monthly via his credit/debit card. Often those subscriptions are sold with an “auto renewal” feature so that the customer doesn’t need to bother with considering whether or not the subscription is worthwhile. However, when millions of individuals receive new cards because of a hacking incident, that’s millions of subscription customers who will be weighing carefully whether or not to renew their subscription on their new card – resulting in a potentially significant loss of sales revenue for companies that were not targeted by the cyber-criminals.
  • Increased Regulatory Costs: California’s Senate Bill 1386, enacted July 1, 2003 was the first state regulation in the nation requiring businesses to notify individuals whose information was compromised as a result of a cyber security incident. Forty-seven states followed suit soon thereafter. In 2004, California again was in the regulatory vanguard position, with the passing of AB 1950 which required minimum security measures before hackers gain access. Again, many states have followed the California model and enacted their own proactive cyber security laws. Each year as more breaches occur, more laws are enacted requiring more regulatory compliance – and increased operational costs – on the part of medium and large companies.
  • Increased Offloading of Corporate Liability: A 2015 survey of corporate directors and officers found that 90% of the respondents believe that contracted software providers should be held financially accountable when hackers find and penetrate vulnerabilities in the software they provide. 65% of respondents indicated that they are already including extended liability clauses in their third-party software contractor agreements. Third-party providers typically do not have the financial resources to absorb the offloaded costs of a cyber attack. These small and medium sized businesses will need to mitigate their client-shared risk through cyber insurance – with annual premiums easily reaching as much as 4% – 5% of the company’s annual gross revenues.

When a credit card data breach occurs, the targeted organization will suffer significant losses from lawsuits, efforts to ameliorate the ramifications for its customers, incident response costs, possible regulatory fines, and legal costs. But an incident like what befell Wendy’s or Target may have significant and lasting ramifications for other SMBs and enterprise-level organizations – collateral damage that could easily run into the billions of dollars in less than a decade. Companies and agencies subject to the fallout of a credit card data breach certainly will not be offered two years of credit monitoring from the targeted organization. Who will be responsible for bearing the cost of such damages?

To find out more about protecting an enterprise-level business from cyber attacks… schedule a ThreatModeler™ demo or contact us today.