Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Identity and Authentication Services

The true cost of online fraud

Created: 21 Mar 2008 • Updated: 08 Aug 2012
Vicente's picture
0 0 Votes
Login to vote

Posted by Vicente Silveira, Sr. Product Manager for VIP Fraud Detection Service

The never ending parade of consumer data leakage and the inevitable fraud that follows added another participant this week with the Hannaford incident. This time, the damage amounts to 4.2 million credit and debit cards being compromised. It is early to tell all the ramifications of this incident, but the unraveling already started with the first salvo of class-action lawsuits against Hannaford.

When I see something like this happen, I'm always left to wonder: what is the true cost of a fraud incident ?

Looking back to some of the high-water mark incidents of the past we can have some hints of what the direct cost involved may look like. Take TJ Maxx for example: back in January 2007 TJ reported a 45 million (or 94 million) card compromise, which was followed by an estimated $68 million to $83 million in fraud losses on Visa cards alone. All this damage led to legal action and a settlement last September with TJ reserving more than $120 million to cover for it. Fast forward to the beginning of this week, and TJ is still in the news with a massive notification campaign that has been kicked off with mailings, magazine and newspaper adds to try to reach customers that may have had their cards compromised.

Based on all of this, it shouldn't be unreasonable to think that the direct costs associated with this fraud incident are north of $100 million dollars, specially when you include legal costs, advertising and G&A overhead to manage all the mess. All the urgent security assessments, patching and fixing shouldn't have come cheap either.

The indirect costs are harder to access but in my view even more dramatic: one can only imagine the amount of brand damage when you have to engage tens of millions of your customers repeatedly over more than one year, reminding them you didn't manage to keep their sensitive data safe. The cost goes up and is shared with all of us with the broader backlash against e-commerce and online businesses in general, where consumer confidence is melting away faster than I can say Global Warming. We are already seeing that in the polls: according to a recent YouGov survey in the UK almost half of the women in Great Britain would be ready to stop shopping and banking online in order to reduce their risk of ID fraud.

It got to a point where even corrective and preventive measures are becoming vectors for data leakage, such as this bank's attempt to notify one customer about a fraud issue in his account ending up compromising information on other people's accounts.

Sooner or later we will have to implement pro-active, stronger security measures for the broader online infrastructure, the only question is how much organizations and consumers will have to pay until that day arrives.