Canadian money lender, Desjardins group, announced earlier this week that they have spent a huge CAD $70 million (£44 million) on a privacy data breach that affected 2.9 million of its customers, Reuters reports.
Commenting on the spending, Ilia Kolochenko, founder and CEO of web security company ImmuniWeb says: “Unfortunately, it seems that the amount is merely a harbinger of much higher financial losses and spiraling spending that will likely last for years. Most businesses foreseeably downplay data breach losses, omitting vital components of the inflicted damages in their calculations.”
In the breach, which was revealed in June, social security numbers, passwords, addresses and banking habits were exposed. It happened after an employee of Desjardins collected the data and passed it on to a third party, despite not being authorized.
It isn’t just about the money
As compensation, those affected were offered identity theft insurance for 5 years along with a credit monitoring plan, free of charge. Possible money recompense is still being decided by a judge.
Kolochenko argues that these cases don’t always end when the victim is given reimbursement. He says: “Individual and collective lawsuits initiated by the victims, even if settled with comparatively scanty compensation afterwards, usually end years after the breach. Penalties and regulatory fines imposed by the governments, often in different countries thereby aggravating the costs, likewise are not of an immediate nature.”
Is this just one of many?
The announcement comes after Canadian Imperial Bank of Commerce and Bank of Montreal reported last year that almost 90,000 customers had been affected by a similar data breach. This violation was thought to be the first of its kind in the country.
The CEO of ImmuniWeb discusses that the impact that cyber hacking has on a firm isn’t just a financial one. He says: “The ongoing reputational damage and loss of business is frequently incremental but somewhat imperceptible. Most customers and partners won’t resign their contracts with a hacked company immediately after the incident for a diversity of practical reasons, though they will undoubtably have less intention of renewing their contracts afterwards.”