Payday lender Wonga's massive security breach over the weekend shouldn't come as a surprise to anyone vaguely following the news. Cyber attacks are getting larger and bolder; from raids on major firms such as TalkTalk by online criminals, to the alleged hacking of the US Democratic Party by Russian operatives during the 2016 election campaign. If anything I suspect all kinds of breaches take place regularly, but firms often have little incentive to report them if they slide by unnoticed, for reasons I'll come to later.
This most recent breach appears to have affected 245,000 UK customers, which sounds big and frightening, but the problem with cyber risks is quantifying the actual value of exposed assets. In the case of TalkTalk's earlier breach the company may have been fined £400,000 for poor security procedures, but the actual event was a bit of a non-starter because of the hackers' inability to do much with the data.
Wonga's breach appears more serious because the assailants were able to access data that can be used for online login processes. But even then, if no actual money is stolen how can Wonga assess its losses. There may be legal consequences and fine, but that's not the only damage possible.
In both cases there firms are badly exposed to reputational risk - a loss of confidence in a company's brand, strategy or products by consumers and investors. No surprise if you can avoid publicity for a breach with few immediate financial consequences, you might not report. The potential loss from reputational damage can be enormous and is extremely difficult to insure. It requires a complex series of policies, financial instruments and contingency funds that boards will hesitate to undertake given the cost. But more and more they will have to contend with it as we increasingly become an online world and breaches become harder to hide.
Prof Woodward said the combination of names, addresses, sort codes and last four digits of bank cards was "particularly worrying" for customers. Other breaches in the UK had not tended to gain access to those financial details, he added.