The ultimate fee for the data breach last month at email service provider Epsilon could reach as high as $4 billion, depending on what becomes of the data that was stolen, according to a cyber-risk advisory firm.
This sum includes costs to Epsilon, its customers and the individuals whose email addresses were stolen, according to a report by CyberFactors.
That figure could be reached if criminals get hold of the email addresses and successfully exploit them to gather more personal information and carry out a spear-phishing blitz, according to the report. "However, until such an event takes place and can be directly linked back to this specific breach, the estimate remains theoretical, but certainly possible given the multitude of sites that use email addresses as user IDs," the report says.
The firm's more conservative estimate for the cost of the March 30 breach is $637.5 million. That's in stark contrast to the estimate given by Ed Heffernan, the president and CEO of Epsilon's parent company, Alliance Data Systems. He projected no "meaningful" costs or liability related to the incident and that the "vast, vast majority, if not all," of Epsilon's clients would stick with the company.
But CyberFactors says it is more likely that Epsilon will lose some current customers and lose the business of potential future customers who are scared away by news of the breach.
Costs to Epsilon's customers could be $5.5 million each for notification of their customers about the theft, settlements to those customers, legal defense, compliance adjustments and loss of business, the report says.
Epsilon's costs will include all of those factors plus a forensic investigation into how the breach happened, regulatory investigations and fines, CyberFactors says.
Typically with breaches, these costs come stumbling in over several years, with about 51% being realized in the first year and 42.2% in the second year, with the remaining 6.8% coming in at three years or later, the report says.
If Epsilon does lose customers because of the breach -- this would be measured by abnormal churn among the customer base -- lost revenues would range from $6.1 million if 1% are lost, to $30.6 million if 5% are lost, the report says.
CyberFactors assumes in its figures that the Epsilon customers whose data was breached had roughly equal numbers of emails compromised.