A majority of the public discussion on cybersecurity and compromised identities has centered on consideration of a credit card data breach – to the point where the public barely raises an eyebrow over new incidences. While credit card issuers have gained efficiency at detecting fraudulent activity over the past few years so that the effect on end-users has been greatly minimized. However, to this point there has been almost no public discussion on the small-to-medium (SMB) and enterprise-level collateral damage of such incidences.
Earl Enterprises a Victim of Data Theft Involving 2 Million Records
Guests at Earl Enterprises restaurants came to the shocking realization that hackers made away with their payment data. Security researchers found the private information being sold online. Hackers installed malware in POS systems at locations across 40 states. Cybercriminals made away with more than 2 million records from May 23, 2018 to March 18, 2019.
The company conducted an internal investigation, cooperated with the FBI and enlisted the support of two cybersecurity firms. Earl Enterprises has implemented close monitoring of its system and is endeavoring to improve its cybersecurity posture. The company also launched a website for its customers to determine if they were impacted by the data breach, which has since been taken down (the link redirects to the home page).
Affected restaurants include Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria. The following data was breached:
- Credit and debit card numbers
- Expiration dates
- Cardholder names
Wendy’s Suffered a Monumental Credit Card Data Breach
In 2016, in what was one of the largest credit card data breaches in history, Wendy’s has now admitted that 1,025 locations were infected with malware that attacked the store’s point-of-sale systems. The infiltrators were able to collect cardholder names, card numbers, expiration dates, and verification information. The number of individuals impacted by the credit card data breach are yet unknown.
However, Wendy’s is now embroiled in at least two lawsuits initiated by credit unions related to the extraordinarily large number of credit and debit card fraud claims since announcement of the theft earlier this year – highlighting the reality that other SMBs and enterprises are exposed to collateral damage as a result of the attack. Beyond the increased liability that financial institutions face, here are a few potential forms of SMB and enterprise-level collateral damage from a credit card data breach:
- Credit Unions and Smaller Card Issuers Financial Fallout: The cost to payment card issuers after a cybersecurity incident is significant, including notification of the card holders, issuing new cards, and providing upgraded credit monitoring for fraud regarding the affected accounts. Then there are the endless customer service calls – at a cost of $20 or more each time the phone rings. Large institutions (those with assets in excess of $1 billion) have economies of scale that can drive down the per-unit costs. But community credit unions and smaller card issuers experience a significant drain on their financial and other resources.
- Customers Fail to Renew Unused Subscriptions: Monthly subscription fees for services are a significant revenue stream for many companies. Regardless of whether or not the customer uses his Netflix, Zipcar, or Spotify subscription, the company that sold the subscription charges the customer monthly via his credit/debit card. Often those subscriptions are sold with an “auto renewal” feature so that the customer doesn’t need to bother with considering whether or not the subscription is worthwhile. However, when millions of individuals receive new cards because of a credit card data breach incident, that’s millions of subscription customers who will be weighing carefully whether or not to renew their subscription on the new card – resulting in a potentially significant loss of sales revenue for companies that were not targeted by the cybercriminals.
- Increased Regulatory Costs: California’s Senate Bill 1386, enacted July 1, 2003 was the first state regulation in the nation requiring businesses to notify individuals whose information was compromised as a result of a cybersecurity incident. Thereafter, 47 states followed suit soon thereafter. In 2004, California again was in the regulatory vanguard position, with the passing of AB 1950, which required minimum security measures before cyber criminals gain access. Again, many states have followed the California model and enacted their own proactive cyber security laws. Each year as more breaches occur, more laws are enacted requiring more regulatory compliance – and increased operational costs – on the part of medium and large companies.
- Increased Offloading of Corporate Liability: A 2015 survey of corporate directors and officers found that 90% of the respondents believe that contracted software providers should be held financially accountable when attackers find and penetrate vulnerabilities in the software they provide. 65% of respondents indicated that they are already including extended liability clauses in their third-party software contractor agreements. Third-party providers typically do not have the financial resources to absorb the offloaded costs of a cyberattack. These small and medium sized businesses will need to mitigate their client-shared risk through cyber insurance – with annual premiums easily reaching as much as 4% – 5% of the company’s annual gross revenues.
When a credit card data breach occurs, the targeted organization will suffer significant losses from lawsuits, efforts to ameliorate the ramifications for its customers, incident response costs, possible regulatory fines, and legal costs. But an incident like what befell Wendy’s or Target may have significant and lasting ramifications for other SMBs and enterprise-level organizations – collateral damage that could easily run into the billions of dollars in less than a decade. Companies and agencies subject to the fallout of a credit card data breach certainly will not be offered two years of credit monitoring from the targeted organization. Who will be responsible for bearing the cost of such damages?