However, others expect that costs may rise to $1 billion, which would include the costs of legal settlements and lost customers. According to an April 2008 Ponemon study, 31 percent of a company's customer base and revenue source terminates its relationship with an organization following a data breach. And in its recently released annual "Cost of a Data Breach" study, Ponemon found that breaches cost companies $202 per compromised customer record last year, compared with $197 in 2007. Costs associated with lost business opportunities represented the most significant component of the increase. The average cost of a data breach in 2008 was $6.6 million, compared with $6.3 million in 2007.
Blinders: According to a 2008 Ponemon study, data breaches by hackers rank a distant fifth in terms of security threats. Indeed, about 14 percent of documented breaches in 2008 involved hacking, according to the ITRC. That doesn't mean companies shouldn't be wary, however. In TJX's case, hackers infiltrated the system by "war driving" and hacking into the company's wireless network. TJX was using subpar encryption, and it had failed to install firewalls and data encryption on computers using the wireless network. This enabled the thieves to install software on the network to access older customer data stored on the system and intercept data streaming between handheld price-checking devices, cash registers and the store's computers.
Eye-openers: According to Muller, the WEP encryption that TJX used on its wireless network was insufficient -- weaker even than what many home users have. "If from the parking lot you can gain access to the database, you need a higher level of data security and data encryption," he says. TJX had also stored old account information instead of permanently deleting it, Muller says.
4. Negligent employees
The spouse of a telecommuting Pfizer employee installed unauthorized file-sharing software on the worker's company laptop, enabling outsiders to gain access to files containing the names, Social Security numbers, addresses and bonus information of about 17,000 current and former Pfizer employees. An investigation revealed that about 15,700 people had their data accessed and copied by people on a peer-to-peer network, and another 1,250 may have had their data exposed. Because the system was being used to access the Internet from outside of Pfizer's network, no other data was compromised. (Read about how to teach your employees, by job function, to guard against attacks.)
Costs: Pfizer contracted for a "support and protection" package from a credit-reporting agency, which includes a year's worth of free credit-monitoring service for those affected and a $25,000 insurance policy covering costs that individuals might incur as a result of the breach.