Will HMRC breach cost £625 million?

In addition to revealing holes in security practices, will the growing number of public sector data losses put an even bigger hole in the public purse?

A study into UK data breaches has suggested the average cost per record of a data breach is £47 - even higher for financial firms and third-party breaches.

With that in mind, the cost associated with the HM Revenue and Customs child benefit data loss could easily exceed £600 million, a figure that, if accurate, would ultimately have to be covered from the public purse.

Putting a number on such scandals is no easy task, said security firm McAfee's Greg Day. "I honestly think that every incident is different," he said. "It depends on what level of data it was and what type."

But Guy Bunker, analyst at study-sponsor Symantec, said the average rate was a good start. "It you put your finger in the air, it's a good a place to start as any," he said. "It's tangible evidence that data loss costs money."

The cost is broken down into three main areas. The first cost is notification, just £1 per record - not surprising, given it's often little more than sending a letter. Detection and other activities add £15 per record, post discovery activity (such as protecting accounts) adds £15, while the cost of lost business adds another £17 - for a total cost of £47 per record on average, across sector.

"When you start to go up to a million [lost records], just notification is a huge expense," Symantec's Bunker noted. "Losses have a big effect on reputation, but a lot of other things have a bigger effect than this."

Bob Tarzey, of analyst firm Quocirca, said: "This is really going to vary. For example, there is no evidence that the HMRC data loss last year cost anything it terms of the data actually being use to exploit tax payers as it is not even clear that the data reached the public domain, however, the cost to HMRCs reputation was immense, if it had been a company this may well have led to a share price drop. On the other hand, a commercial organisation might be able to keep real data loss and exploitation under wraps (as far as the press in concerned), so whilst real money is lost damage reputation may be zero."

The study said end-cost was also affected by who caused the incident. If the records were lost by the organisation itself, the average cost fell to £42. Data breaches caused by third-party organisations are more costly, at an average £59.

Another cost differential is sector. Not surprisingly, losses by financial firms were more expensive than others, averaging out at £55.

The study noted it covered 21 breaches in size from 2,500 to 125,000 records - clearly leaving out the HMRC breach last year, which hit 25 million people.

So just how much would some of the most infamous breaches of the past year cost, according to the Ponemon study?

HMRC Child Benefit Records: £625 million

With some 25 million people affected by just two lost discs, this was the government scandal that kicked off months of disclosures. Using the study's average cost of £42 per record for an internal loss, the cost of that scandal could top a billion pounds.

However, as people have no choice but to use the tax body, costs associated with lost business can be ignored. At a cost of £1 each notification, that's already a £25 million bill; add in detection and post-incident security improvements, and the bill could hit £625 million.

Bunker warned that costs could be long-term, too. "If you were to discover the two discs in five or ten years time, the majority of bank accounts would still be valid," he said.

HMRC and Standard Life: £825,000

The loss of a disc containing 15,000 pensioners' details hit both HMRC and Standard Life. Breaches hitting financial firms cost more, some £55 per record, making this incident worth some £825,000, according to the study figures.

Marks and Spencer: £1.5 million

A contractor lost a laptop with 26,000 records from the high street icon. As third-party losses hit harder, the study suggests M&S can expect to pay £59 per record for the 26,000 which went missing - a total cost of £1.5 million.

Nationwide: £605 million

The loss of 11 million records by the building society led to a £980,000 fine. In addition to that, however, at a rate of £55 per record, the firm can expect to see a business hit of some £605 million in lost business, security upgrades and other costs, the study suggests.

Skipton Financial Services: £770,000

The financial firm was recently told off by the Information Commissioner's Office for losing a laptop, but escaped the massive fine which hit Nationwide. Still, at the rates described in the Ponemon report, the 14,000 lost records cost the firm some £55 each - a grand total of £770,000.

Whether these costs are realistic or not is impossible to tell without inside information and a strong audit trail, but such frightening numbers could help push businesses to take data security seriously. McAfee's Day said: "Over the last year, they are very much seeing the realities of this because of the number of disclosures we've had."

Hopefully, such high numbers of incidents and costs could mean organisations move to take the issue seriously. "People dealing with this information should look after it as if it were their own," Symantec's Bunker said. "The costs associated with the solutions are significantly less than the cost of dealing with a data loss."

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook