The effects of a data breach: Loss of brand reputation and financial penalties (by Seref Can OZKAYA)

Both our social and professional lives are becoming digital, with the rapid development of information technologies and their increased importance on a day-to-day basis. As a result of this digitalization process, individuals and organizations are connected to the concept of being online and carrying their professional and social needs on digital platforms. As such digital platforms have become global markets, platforms specific to the working fields of almost every sector have emerged (social media, finance, communications, etc.). Every activity in this globally effective market has social, political and economic benefits. What with the technology addiction and the higher amount of data stored in the virtual environment they have implied, increased digital activities have raised the issues of data leaks and personal data privacy globally. It is known that the national and international sanctions in this field are serious and affect the esteem and financial value of individuals and institutions. In this study, we analyze the effects of data leaks on institutions; namely the loss of reputation, financial sanctions and user loyalty.

Introduction

Personal data, or personally identifying information (PII), is referred to as any information relating to an identified or identifiable natural person. Important information such as race, ethnicity, political thought, health data are examples of personal data.

What is a data leak? How does it happen?

Data leakage is the result of unauthorized access to data, data disclosure, data theft, and cyber attacks. Cyber attacks, the exploitation of vulnerabilities on information systems, and social engineering attacks are also ways of stealing data. Besides, physical attacks on organizations and data theft by employees are scenarios that actually exist in today’s world. The result of such attacks may be shared with the organization by the attacker in order to receive a service, or uploaded to platforms that offer free services such as social media, e-mail, and many more. It should also be noted that these platforms do not only aim to facilitate communication between people. Indeed, companies also process people’s personal data and use it in areas that make them profit. Today, one of the main reasons behind cyber attacks is financial gain. Investigations on attacks worldwide have shown that cyber attackers can remain undetected for a long time in the systems they have seized. Not many companies can detect these attacks with their own resources.

According to the results of data leakages, small and medium sized enterprises (SMEs) are more affected by cyber attacks than large enterprises. If an SME’s data is leaked, competitive companies can use them to steal its customers and can even cause the closing of such SME by stealing its data and then dragging it into bankruptcy after a few years.

Data Leaks

Major data leaks include Yahoo’s 3 billion dollar account stolen in 2013, Trump’s party keeping the data of 200 million people unencrypted on Amazon servers, Under Armour’s sports application that affected 150 million users, and airways data leaks .

The Cambridge Analytica scandal led Facebook CEO Mark Zuckerberg to testify before the US Senate and European Union Parliament. It was revealed that Cambridge Analytica had unauthorized access to approximately 87 million people’s publicly available data on Facebook, including gender, location, political views, religious beliefs, private correspondence, web sites and profiles they liked, thus influencing and changing user preferences. In addition, in 2019, it was found that Facebook data such as user reviews, likes, user names, including more than 540 million Facebook records, as well as Amazon’s cloud environment, are publicly available. Looking at the outcomes of Facebook leaks, the number of users declined by 15 million a year in the US, one of Facebook’s most profitable markets, and by 3 million in Europe. If we look at the situation in our country, Turkey is the country with the highest number of Facebook users in Europe.

One of the largest data leaks was the Equifax leakage in 2017. Equifax is the US’s credit rating agency. When the leak and its effects were examined, it was found that the weakness is the patch that caused the leakage. However, two months after this finding, it was found that the company still had not installed any updates. As a result, 145 million people had their financial information and social identity numbers seized by attackers.

Influence of Leaks on Financial and Brand Value

A data leak should be managed as transparently as possible. When the Equifax leak is continued to be analyzed managerially, it appears that the leaked data was shared with the public 5 months after the date of the leak, and it turned out that senior executives had sold their shares. On the other hand, the CEO said in a TV program, that the tragicomic solution was to change the social security numbers of those affected. In view of this, it can be said that the brand image was worsened, and processes have resulted in the CEO’s resignation.

Looking at Equifax shares, the stock fell dramatically in September 2015 when the data leakage was exposed.

The company, which was the target of one of the largest known cyber attacks in US history, will pay a fine of $700 million as a sanction for the infiltration of private information of approximately 150 million customers in the 2017 cyber attack.

Facebook was sentenced to $5 billion in the United States and $645,000 in the UK for the Cambridge Analytica scandal.

Companies that experience data leakages will suffer financial losses at the following points:

• loss of share value;
• decreased incomes
• loss of customers
• falling back in competition;
• penalties;
• expenditure to regain

At the time of a data leakage, it is determined that there is an average loss of 5% of the shares depending on the sector. Losses also vary according to the company’s sector. For example, in the event of a leak, the financial sector may suffer more damage than retail. A brand that has a high level of security perception recovers its financial situation more quickly than a brand with a lower level.

The effect of leaks on brand value usually include the loss of customer trust and loyalty, the end of the customer-brand relationship, and the emergence of negative media coverage. In addition, data leakage has emerged as one of the top three main reasons that have a negative impact on brand value with poor customer relationships and product recall in the eyes of customers. A company with data leakage can then become the target of attacks.

Conversely, creating a strong sense of security increases customer loyalty and trust. From the customer’s point of view, data security appears to be important when purchasing products and services; and includes preventing large violations, sharing less personal information, and seeking abetter data security service provider.

In countries where information security has reached a certain level of awareness, large-scale data leaks are perceived as a major failure.

Necessary Institutional Changes

The most important factor that leads to data theft is that companies keep huge amounts of detailed customer information in their environment. Even if some companies do not process the data they hold, they retain most of it. In the event of a data leak, many of the customer’s data are seized by attackers. It is therefore recommended that companies do not keep data they do not need.

In the Equifax leak, had the patch been installed in time, the vulnerability could have been closed before being exploited. In short, all these leaks could be prevented by timely inspection of the IT infrastructure. As a result, audits should be performed regularly in any small or large company. Employees are required to access company data within their authorization.

Looking at the consequences of data leaks, companies also suffered material losses. Penalties to be incurred by state authorities will be added to these losses. Thereafter, the European Union’s GDPR legislation should be examined in detail by all companies that hold personal data and take measures accordingly.

Institutions need to allocate resources for security, training human resources, system audits and raising the awareness of employees against attack vectors. Action plans should be prepared before, during and after a data leak.