TJX, Hannaford Cost Maine Institutions $2 Million-Plus
New Data Breach Study Examines Costly Aftermath of Hacks The combined cost of the TJX and Hannaford data breaches on 75 Maine financial institutions totaled more than $2 million, showing the substantial financial impact of a data breach.This cost was discovered in a recent study by the Maine Bureau of Financial Institutions and makes the case for more stringent data protection.
The first-of-its kind report examined the impact of data security breaches on Maine banks and credit unions. The Maine Data Breach Study identifies the various consumer protection steps taken by financial institutions in the aftermath of a breach and shows the subsequent costs to the institutions in dealing with breaches.
This study reveals the impact a large-scale data breach has on Maine banks, credit unions and their customers. The cost to institutions in terms of costs and the drain on employee resources can be substantial.
The Toll
Since January 1, 2007, there were two major data breaches that affected Maine financial institutions: the TJX data breach, reported in January 2007, and the Hannaford Bros. grocery store chain data breach, reported in March 2008.
In the study, 75 institutions participated -- 50 credit unions and 25 banks. Of the 75 institutions, 71 reported being affected by at least one data breach since January 1, 2007 and incurred combined expenses totaling approximately $2.1 million. The Hannaford breach had the largest impact and affected the most institutions --71, and had the highest number of affected account holders, 243,599, as well as the largest cost, $1.6 million.
For the TJX breach, 49 of the 52 affected institutions reported they reissued cards, with costs ranging from a low of $60 to a high of $32,146. For the Hannaford breach, 70 of the 71 affected institutions reported they reissued cards, at a cost ranging from a low of $250 to a high of $58,278.
The study shows that many financial institutions decided to re-issue all customer cards. In a few cases, institutions gave customers the option of having their cards replaced. The majority of financial institutions reported no unauthorized or fraudulent transfers. Of the 71 affected financial institutions, 25 reported unauthorized or fraudulent transfers. In one case, the unauthorized activity involved only one account and, at most institutions, fewer than 25 accounts.
At one institution, the accounts that may have been subject to fraudulent transfers due to the breach was 265, and the amount subject to unauthorized or fraudulent transactions was $75,000.