BOSTON/BANGALORE Alliance Data Systems Corp could face costs and lost sales of $100 million or more as it tries to recover after hackers stole reams of names and email addresses from its Epsilon marketing unit.
The estimate by technology analysts is slightly less than 4 percent of the Dallas company's revenue last year, but it underscores the rising threat from hackers and comes as Washington considers imposing tougher data-security rules.
The figure is also much higher than the direct costs financial analysts expect Alliance Data to pay for measures such as system upgrades and audits, showing how complex quantifying data security expenses can be.
Alliance Data first disclosed the breach on April 1, followed by a wave of customer notifications from Epsilon clients, including Citigroup Inc and JPMorgan Chase & Co.
Alliance Data has said the breach will have a minimal impact on its finances, without giving many specifics. It says its biggest risk is the potential loss of clients.
TD Ameritrade Holding Corp, said on Friday it has temporarily stopped using Epsilon to send emails to customers, at least until it learns more about the breach.
"We felt it prudent," spokeswoman Kim Hillyer said.
Several technology experts interviewed by Reuters based their estimates on past breaches, such as the roughly $160 million Massachusetts retailer TJX Cos Inc spent after thieves stole millions of payment-card numbers.
The records stolen from Epsilon involved only names and email addresses, which are less valuable and will not require expensive steps such as the re-issuance of consumer credit cards.
But other costs will resemble past cases and include new security software and technology audits, said Josh Shaul, Chief Technology Officer of Application Security in Massachusetts.
"When you add it all up, this one isn't going to be cheap," Shaul added.
40 BILLION E-MAILS
Shaul said the scale of the Epsilon breach could far exceed previous cases. Epsilon sends more than 40 billion emails a year. Security site threatpost.com counts over 50 companies that have notified customers of the breach, including Best Buy Co Inc.
Michigan data-security consultant Larry Ponemon estimates Alliance Data faces a cost of at least $20 per compromised record, including lost future business. Ponemon and other analysts say a conservative estimate is that thieves obtained the names or email addresses of 100,000 customers at each of 50 clients. At $20 per record, that amounts to $100 million.
That estimate is cautious another way. In a widely followed study released in March, Ponemon calculated the average cost of U.S. breaches at $214 per record in 2010, up from $204 in 2009, reflecting that many include financial data.
Deepak Taneja of Aveksa Inc cautioned costs could be higher if clients charge or sue Alliance Data for things like alerting customers. Competitors such as Silverpop of Atlanta have also been breached, however, which could limit client switching.
Alliance Data said on Wednesday it expects "minimal if any impact" on its financial performance from the breach. In 2010 it earned $194 million on revenue of $2.79 billion.
The company referred questions about costs to an outside spokesman, Larry Meltzer. He declined to give specifics, but cautioned the company's business model is complex. For its email, he said: "There's not a production cost like you would have if you were selling laundry detergent or automobiles."
Alliance Data shares dropped just slightly this week. Analysts who follow Alliance Data have cited the risks of lost business, but say they see few signs of massive expenses.
"There are always going to be indirect costs like customer retention issues, IT issues, and more client hand holding," said JMP Securities analyst David Scharf.
But he does not expect many clients to pare back their use of Epsilon's email service, a rare area of growth in the marketing industry.
(Reporting by Ross Kerber and Brenton Cordeiro; editing by Ros Krasny, Edwin Chan and Andre Grenon)