The cost of a massive data breach that exposed the emails of millions of their clients' customers could cost Alliance Data Systems more than $100 million in both direct and indirect costs – mostly in sales lost from companies that have lost confidence in Epsilon, the Alliance subsidiary that was hit.
So far only one customer, TD Ameritrade Holding Corp., has publicly said it is abandoning Epsilon.
Losing customer records costs the victimized company an average of $214 per record in lost sales and direct costs, according to security consultancy Ponemon Institute founder Larry Ponemon.
Alliance Data issued a statement last week predicting "minimal if any impact" on its financial performance following the breach.
The greatest risk is the potential loss of customers, though "the Company's number one priority over the near and long-term will be to ensure that Epsilon'g clients regain complete trust in the company's operations," the release said.
It also urges consumers to "take appropriate precautions and be vigilant with regard to opening emails and/or accessing links sent by unknown sources."
Which seems to boil down to wishing consumers who are the real victims an insincere "good luck," and the assumption that there is little enough competition (or low enough security) in the commercial email-service market that Alliance will be able to schmooze the customers it burned into not firing it.
Doesn't seem like a fully disclosed, deeply held statement of remorse or intent to make its customers whole.
If you're interested, Alliance President and CEO Ed Heffernan will be on the company's next earnings call, at 5 p.m., April 21. Slides and audio of the call will be posted at AllianceData.com, or on the company's Twitter feed, if no one swipes the updates before they're posted.
I wonder if he'll do a cost-comparison between that $100 million and whatever it would have cost to encrypt the email-address database or add extra layers of security.
Or maybe he'll explain why Alliance didn't do anything to prevent the breach during the four months between the time Epsilon was warned about the attacks and the actual breach.
"Marketing as usual: Not a chance" Epsilon's slogan reads. Let's nope not