Schnucks, a family-owned grocery chain located in the Midwest, was the victim of a cyber attack between December 2012 and March 2013. In a prior post on our website, we mentioned that up to 2.4 million credit cards were potentially compromised.
As the fallout continues, Schnucks is facing three class action lawsuits in both federal and state courts, alleging the grocer failed to secure its network properly, and that it waited too long to notify its customers after it became aware of the data breach.
Talk about a nightmare scenario for Schnucks management!
On several fronts, this attack is causing pain. First, Schnucks has a public relations debacle on its hands. Faced with the prospect of lost income from consumers going elsewhere to shop, Chairman and CEO Scott Schnuck made a YouTube video apologizing to customers. The grocer also issued an apology letter in a full-page newspaper ad, and is trying to convince customers that it is safe to shop at Schnucks.
The company has already incurred notification costs, to alert customers whose credit card data might have been stolen, as well as set up a call center to answer questions from concerned card holders.
Schnucks also had to pay for computer forensic services to find the source of the attack and shut it down to prevent hackers from further harming the system from the same entry point.
And now, the grocer faces mounting legal bills as a result of the lawsuits. In his company’s defense, Scott Schnuck points out that a cyber attack “is not like a bank robbery where you know immediately when it occurred and who was affected. The investigation requires painstaking analysis of digital evidence that takes time.” The company has posted a timeline of events to make its point.
Whether Schnucks was negligent or not remains to be seen. But what is clear is that the firm has suffered financial loss, as well as the loss of goodwill. Recovering from brand damage will be neither simple nor easy.
We continually warn that no company is immune from a cyber attack. Digital criminals are very smart, and no network can be totally safeguarded. Your company can do all the right things from a security standpoint and still become a cyber crime victim.
To protect your assets, it is wise to shift at least some of your cyber risk to an insurance carrier. Right now, the cyber liability market is soft, meaning insurers are competing for your business. You can get high levels of coverage for small premiums.
Because even small businesses typically store data valuable to hackers, such as employees’ Social Security numbers or proprietary information, we recommended that all companies with any sensitive information seriously consider cyber liability insurance.