Worst-case projected cost of Epsilon breach: $4B

01.05.2011
The ultimate fee for the could reach as high as $4 billion, depending on what becomes of the data that was stolen, according to a cyber-risk advisory firm.

This sum includes costs to Epsilon, its customers and the individuals whose email addresses were stolen, according to a report by CyberFactors.

MORE ON SECURITY:

That figure could be reached if criminals get hold of the email addresses and successfully exploit them to gather more personal information and carry out a spear-phishing blitz, according to the report. "However, until such an event takes place and can be directly linked back to this specific breach, the estimate remains theoretical, but certainly possible given the multitude of sites that use email addresses as user IDs," the report says.

The firm's more conservative estimate for the cost of the March 30 breach is $637.5 million. That's in stark contrast to the estimate given by Ed Heffernan, the president and CEO of Epsilon's parent company, Alliance Data Systems. He projected no "meaningful" costs or liability related to the incident and that the "vast, vast majority, if not all," of Epsilon's clients would stick with the company.

But CyberFactors says it is more likely that Epsilon will lose some current customers and lose the business of potential future customers who are scared away by news of the breach.