Death by a Thousand Cuts: Why Downstream Fraud Could be the Biggest Cost of a Data Breach
Posted June 12, 2015
If the last week or so has taught us anything it’s that data breaches are becoming increasingly expensive for organisations across the globe. Various reports have tried to put a figure on exactly how much they’re costing firms. But fixating on these stats means we’re in danger of losing sight of the real victims of a major compromise: the customers. After all, it’s their personal and financial information that is eventually sold on the dark web and used in follow-up fraud attempts.
I’d argue that the fall-out from this “downstream fraud” has the potential to outgun even the original large scale data theft. But while there’s very little an organisation can do to stop a determined, targeted cyber attack, the solutions exist today to reduce fraud losses by up to 90%.
At Infosecurty Europe two weeks ago, consultancy PwC announced the latest version of its much respected Information Security Breaches Survey for the UK. The stats were pretty stark: the number of both small and large businesses having experienced a data breach rose by around 10% from the year before. What’s more, the cost of said breaches rose for small firms from a range of £65K-£115K in 2013 to £75K-£311K in 2014. For large firms, the average top-end cost was calculated at £3.1m, up from £1.15m a year previous.
PwC wasn’t the only organisation out to calculate the cost of major cyber incidents. Economic forecasters the Centre for Economics and Business Research (CEBR) claimed this week cyber crime costs UK businesses £34 billion.
But exactly how are these soaring figures calculated? Certainly remediation and clean-up costs are worked out, including any new security products and services that have to be bought. Then there are legal fees, any post-breach dip in sales and share price, and even the cost of follow-up fraud from chargebacks. All of these can be calculated with a relatively small error of margin. But the big imponderable is the impact on brand value and customer loyalty.
The big knock-on
The problem with intangible values like as brand and loyalty is that they’re virtually unquantifiable. Yet what happens to breaches records once they’ve been stolen has a potentially huge impact on both of these aspects. Typically they’ll end up on a darknet site for fraudsters, where they’re bought and sold at the market price. It’s a fully functioning, highly professional and thriving ecosystem hidden away from prying eyes on the un-indexed web.
Fraudsters will buy these credentials – whether they’re financial details, or increasingly, personally identifiable information – and use them in payment fraud, account creation fraud and account takeover. The most recent ThreatMetrix® Cybercrime Report: Q1 2015 found that the highest risk type was account creation, which accounted for 4% of fraudulent transactions. The scammers know they’ll stand a better chance of success using stolen credentials in this way – more so than using stolen card details, which may be blocked outright – especially if they use crimeware tools to cloak their identity.
The resulting identity fraud ends up costing the breached firm in chargebacks, of course. But perhaps more importantly, it puts the customer through an often long and arduous process of reclaiming their identity. Cards take time to be reissued, money to be refunded and credit ratings to be reset. It’s an experience likely to cause even the most loyal customer (and how many of those exist today?) to take their business elsewhere. In so doing, of course, they’ll tell the world about their experience via social media, chipping further away at the firm’s brand value.
Organisations seem to be worried more about the initial breach, and the headlines that follow, than the “death by a thousand cuts” of downstream data fraud. Yet it’s widely acknowledged that a determined attacker will always be able to breach a target, no matter how strong their defences. On the other hand we are already taking great strides to foil the cyber fraudsters.
The ThreatMetrix® approach is to use anonymous, customer-based device, identity and behavioural data to decide who can be trusted. It’s generated from a staggering one billion transactions each month across 15,000 websites to spot the tell-tale patterns indicating fraud. What’s more, it’s completely transparent to the end user, takes less than 200 milliseconds and costs less than a penny per transaction.
It’s time organisations everywhere woke up to the fact that the real cost of data breaches happens downstream.