The Customer Perception About Honda

Published Date: 02 Nov 2017

Honda Canada is a large organisation of more then 21,000 Canadian employees. The research work has been taken from 100 employees of lower and middle level management. Because higher-level employees like corporate leaders in Honda have denied for any survey to answer. Although it was important for research to interview or collect data from corporate leaders of the company (Honda), but company denied to provide me any critical information. So I decided to take a survey from employees of Honda and they accepted it. This survey will disclose the employee satisfaction about training and security system of the company. How company regulates its training programmes to prevent phishing attacks? Such kind of question will be answered by performing this survey.

3.4.4 Design And Measurement Of Questionnaires

In order to conduct the survey itself completed questionnaires were designed to take necessary information in order to meet the needs of research from two sets of respondents. Two questionnaires were emailed to survey assistants in Canada who helped to conduct the survey and then these survey assistants sent back all data through email. Following survey technicalities were taken into account for design of these two questionnaires

Questions must be designed in a way that answers from respondents can contribute to solve the research questions.

The chosen group of respondents is fully willing to answer the questions.

Question contents are fully understandable.

Biased questions should be avoided.

Before starting survey, questions must be pretested to make sure that questions are understandable and nothing important has been left in questions.

The measurements of questions will be on the basis of degree of their answers from the respondents as they are agree, strongly agree, disagree and strongly disagree by the questions.

3.4.5 Questionnaires measurement

There were two types of question in this research work. The first question was designed to be answered as Yes or No and the weightage technique is used to measure all the questions. The weight given for measurement of Yes or No questions is 1 and 0 respectively. The second type was designed to answer strongly agree, agree, neutral, disagree, strongly disagree and measurement of these questions was done by assigning the weight as 1, 2, 0, 3, and 4 respectively.

3.5 Secondary Data Analysis

Data analysis of this paper was two-fold. First, the results of the case studies were be analysed, and then secondly, the lessons learned from this information were then applied towards the Honda Canada. As per Soy’s case study measures, the following analysis steps were followed:

Evaluate and analyze the case study data: this involved the examination of raw data found in the data breach incidents of the four companies, followed by the organising and formulating the information so it is relevant to the research questions. Going through so much data allowed for first impressions to be investigated further in order to gain more information about the real situation. In order to achieve this goal, the case studies were then categorised into three brief sections, each to in order to gain sufficient information for the dissertation’s research questions:

A background of the Company

Breach incident

Key Impacts

Investor Relation

Prepare the report: This particular section was the straight forward because it was the comprehensive presentation of each of the case studies. Presenting all the data in a brief, logical, and relevant way ensured that the case study analysis could more easily and comprehensively contribute towards the discussion section.

The use of a comparative case provides substantive background information on data breach incidents in major multinationals, alongside information gathered during the literature review. Furthermore, all of this secondary sourced research also allowed for a discussion of the entire findings and also the application of data breach management theories and practices.

3.6 Limitations of the research

One argument against case study research part is that "...it limits the scope of the study too much as the focus is not broad enough..." (Yin, 1984), Although these are criticisms to take into account, the similar planning procedure required by each organisation is quite similar to one and other and something new and other companies can take into consideration. This is of course not to prove that Honda Canada’s situation is the same as any other previous companies that had to suffer breach incidents, however the management of data and securing it after the breach, is certainly something that can be learned from previous companies.

The research is a combined approach of primary and secondary data. So primary data is more reliable and unbiased. Still research have some limitations, results could have been more better if company would have given the permission to interview corporate managers, because they know the exact position of company in this scenario and they know how they handled this situation. The questions are directly linked to the economy of Honda Canada and the impact of the breach incident which alternatively reflects back to the corporate world that how Honda handled their investors and customers during this whole critical time. Although, we have conducted customer and employee surveys to acquire as accurate and deep information as possible, result could have been more batter if company would have authorise us to contact to the corporate authorities. So this is a limitation of the research that we are unable to interview corporate managers of Honda.

CHAPTER FOUR: FINDINGS

4.1 Introduction

This chapter reviews the findings of this dissertation investigation, which was designed using both qualitative and quantitative data. The chapter is divided into two parts, first part investigates the primary data collected for example survey results and second part compares similar case studies to investigate how breach incidents has been handled by the companies in history? The author used secondary source of data as a qualitative method to review previous studies examining the impact of data breaches on firms’ economy and quantitative method to assess the perceptions of customers about the Honda Canada through surveys. In the following sections the author discusses the findings of this study starting with the review of data breaches impacts from the literature review.

4.2 Part-1 survey results

There were three set of surveys has been conducted from customers and company employees.

Customers are the group of people; those are directly impacted by such kind of incidents like data breach. So customer survey has been conducted to light up the insights of their mind about company. Survey has revealed the truth about compromised records, that how much and what kind of data has been compromised and also hazards from the stolen information in the future. Firstly the customer survey has been performed and the data collected from customers tells the whole story of breach incident, company’s response, and actions taken to prevent phishing attacks and customer perception after this incident. The second type of survey explores the truth about the training and authenticity of the security system employed by Honda. As I mentioned before that Honda’s corporate managers has denied to give us any interview because of their busy schedule of working or might be any other reason for which they denied for interview. Anyway, I’m thankful to them for giving a chance to perform employee survey. It also reveals that there were lots of drawbacks found in Honda online security system and employee awareness. The whole data was summarised in a systematic way via diagrams and charts as follows: -

4.2.1 Customer perception About Honda

This subsection will present the findings and results of survey from customers in order to find out insights of the public about Honda brand after this breach incident and to develop the strategies to recover the relationship between company and customers. This section will also provides the information about how much loss Honda is going to face in near future. This survey provides a good measurement of brand loss that Canadian customers are more curious about security of their personal information. The survey was conducted from 100 individuals of Canadian customers of the company. This survey is also helpful in developing and changing branding strategies according to customer needs, wants and demands.

4.2.2 Honda Online Security

Literature review chapter has already given a sound knowledge on types of threat that there are two types of threat:

Internal

External

Read the subsection given in literature review chapter about internal and external threats (go to heading 2.2). In order to find about company’s online security system limitations and how much its customers are confident about security system one question was asked from customers. There were only two variables were created Agree or Disagree. This question has been summarised from 68 results out of 100 results because these 68 customers were the existing customers. These 68 customers replied "Yes" to question No. 4. Results were surprising that out of 68 there were 22% (Approx.) customers who had chosen Agree parameter. It means that 78% has replied as Disagreed to the question "there information is safe on Honda server". Another question has been asked from customers that how confident they are about online security system of the company? The result has been calculated through five parameters as Very much confident, Confident, Neutral, Less Confident, Not at all confident. With these five parameters we have enabled to calculate more deep insights of the people and the results are as below:

Figure Customer Satisfactions About Honda Online Security System

So it is clear from the above bar chart that most of the people are afraid of Internet in respect of their personal data. As we see that 28% people are Much Confident/Confident and 57% are Less/Not at all confident about Honda online security services and others are Neutral (15%). So statistically only 28% or less are willing to store their personal information online and these number of people are mostly addicted to technology and they want to use fastest and reliable communication services because of their busy working schedule or any other reason. Alternatively, 72% people are not willing to compromise their personal information over Internet because they are more conscious about protection of their data online. Most of these customers are the victims of some kind of phishing attacks and this is why they want more security measures or surety from companies. The best example of weak security system is presented in literature review chapter that Google has faced so many problems while launching in China. Chinese Human Rights activists hacked Gmail account of Google.

4.2.3 Loss In Future Sales

Back in Literature review chapter there is a section and figure named, as "How data are breached" is a complete overview about data breach sector. The survey’s main motive was to calculate the brand perception degraded among customer after this security breach. So a question was asked from customer about buying a Honda product in future. Most of the results were negative and after summarising data we found that 66% has no interest in buying Honda products in near future and these 66 customers are existing customer of Honda and out of these 66 customers 18 customers are those whose data has been compromised in this breach or who replied "yes" to question No. 5. It means that all breach victims and even some new customer (total 66%) has postponed their future dealings with Honda Canada, which is really a high amount of customers and relatively it will cause a real loss in future dealings of the company. In this survey we concluded that 84% people agreed with the theory of Honda’s weak online security system 18% has committed that their address information/VIN has been compromised. Below is a pie chart showing estimated future sales loss on the basis of data collected through survey:

Figure Estimated Losses In Future Sales

After this all we asked the customers about what they think of company’s reaction after this incident? The question has assigned five parameters to answer this question as Strongly Agree, Agree, Neutral, Disagree, and Strongly Disagree. As the article in chapter 2 above tells that Honda came late for notifying breach victims, same response could be seen from survey data. This mistake of coming late on notification process could be considered as another reason for brand loss because a large number of customer agreed with this point that Honda should have moved to the notification process as soon as they detected first sign of intrusion in server. Survey results about this question (What do you think, Honda took necessary and in-time steps to protect victims from identity theft?) are as follows: -

Figure Customer View About Honda Response After Breach

As we see in bar chart above depicts that:

Customers, those are Strongly Agree - 8%, Agree – 19%, Neutral – 12%, Disagree – 45% and Strongly Disagree – 16%. So it is clear that most of the customers are not happy with Honda’s working pattern to save customers data/ response time to save customers from identity theft or any other type of threat like unauthorised access, fake mail/e-mail etc. Even in literature review also have concluded that Honda has been sued for CAD $200m for recovering from this breach incident. Back in literature review there is another study that has proved that each compromised record costs for $214 and Honda has committed those 280,000 records has been compromised in this breach incident. It means this breach could cost $59,920,000 to Honda.

4.3 Employee Survey

This survey has been conducted to estimate Honda training programs and their transparency throughout the organisation. Every employee could be a different door to enter into system for hackers. So these doors should be properly secured from outsider threats. This survey also conducted to test the loyalty level of employees towards company because internal threats are always very dangerous and very hard to stop and investigate. Their were two main point was in consideration before conducting this survey which are as follows:

Internal threat – Some how check employee Loyalty towards company.

External threat prevention – Explore about training programs, their pattern on different level of management.

And the results are as follows:

4.3.1 Internal Threat (Employee Disloyalty)

There were some questions, which were asked from employees about loyalty factor in such a way that they could answer them without any issue/worry. If someone is directly asking that "how loyal you are about company?" is useless because nobody tells himself/herself disloyal. So results will be biased. To avoid biased results and to make targeted group of people feel free to answer, the questions are designed in such a way that employee can answer without worrying about any issue in future. There were 20 random samples has been collected from middle level management employees like Assistant Managers, Supervisors, Relationship and financial workers, online data handlers etc.

Out of these samples 30% replied ‘No’ to question No. 1 so it means they don’t think or they are not sure about this incident but rest 70% are sure that this incident was a phishing attack. After this those 30% (6 Employees) who replied ‘No’ to question No. 1 answered the question No. 2 and 33% (Approx.) has chosen Week firewall and 16% (Approx.) chosen "Employee Disloyalty" and rest 51% chosen "Weak Training". Now to the 3rd Question, out of 100 samples all have replied in a different way.

The question was "How you scale disloyalty of employees in today’s multinational companies on the scale of 1 to 10?" Results are as follows: -

Figure Employee Disloyalty according to Honda Employees

By sampling this data all together we have got that approx. 15% employees could be disloyal towards company in this era of information and technology.

4.3.2 External Threat Prevention (Employee Training Programs)

A question was asked that how often training programs are conducted by company? Approximately 65% has replied "Never After Recruitment training" which is really a surprising result for me. But these 65% also replied to Question 7 and mentioned that training programs are running throughout the year as new recruitments are going on throughout the whole year. So when it comes to online security every employee is free to attend seminars but it is on their own choice. Only the managers and Level A and B (Upper and Middle Level management) employee are forced to attend each and every seminar. Security training seminars are much often then others once after every 3 months, when they need to implement new software or need to employ some new security measurements. So main training is only provided once but security seminars are regularly being conducted time-to-time. Shown in graph below: -

Figure 10 Training Process At Honda

4.4 Part II

4.4.1 Case Study – 1 Apple

Background

Steve Wozniak, 26year old and Steve jobs, 21 founded Apple in April 1976, both collage dropouts. This is one of the leading organisations today, which initially started with Apple I box computer. Its first initial business was 200 computers they have sold. In December 1980, Apple went public. It’s offering of 4.6 million shares at $22 each sold out within minutes. A second offering of 2.6 million shared sold out in May 1981. After raising money Apple started a new era of innovative product and by January 1982 Apple had sold out 650,000 computers worldwide. After this company has entered in some new businesses and they succeed in those as well. Apple has been the leader in quality management for the last 15 years, but in 1997 it had major loss in its share price. When Macintosh was introduced, it was new era of easy computing, industrial design, and advanced technology by Kirkpatrick, D., (1998, p86). Although its performance was slow, the graphics introduced by Apple was a milestone of quality and after that i-pad, i-phone, i-tunes, and all other i-series product gave the Apple brand a special name in quality electronics and technology. Apple provides technology that is a generation ahead. Hogan, T. (1987).

Breach incident

In September 2012, FBI has disclosed the news, that some hacker group has stolen the personal identification data of millions of iPad users from FBI agent’s laptop. The group of hackers called itself AntiSec, is posting on FBI’s website. This group has taker the responsibility of hacking the data from FBI agent’s laptop, which includes more then 12 million unique identification numbers and personal information for Apple devices. The file, which was hacked from FBI agent’s laptop, was named as "NCFTA" referencing to the National Cyber Forensics & Training Alliance, reported in the article. As for as this is also a recent breach as Honda Canada, so impact may not show in monitory terms at the moment but it might have great impact on near future sales of Apple. This is one of the largest breaches of the year. Baldor, L.C., (2012)

Landsman (Apple spokesperson) explained that data was hacked in just one attack on 4th September, so for she identified more then 500 unique pitches used in the campaign. It is being disclosed that compromised information includes Bank of America Account suspensions, Macy’s credit card collections and requests from the US Veteran’s Administration Health services, Credit card information, etc. The exact date of Breach was 4th September 2012 reported in the article, "ID theft gives Apple another security black eye" by John P. and Mello Jr. (9 oct. 2012). Apple has changed the whole security system and upgraded it to higher level then the existing one and this costs a lot for apple to design and implement new protocols in coming products. John P., Mello Jr. (2012)

Key Impacts: -

This breach incident has been rooted to an FBI agent’s Laptop and it could not be yet recognised as in internal or external attack. Legally FBI has direct connections with the multinational companies to monitor their actions or to provide them online or offline protection. So this special agent had the sensitive data of Apple customers in his laptop. The data was stolen from this agent’s laptop and has not been identified yet that, weather it was and unauthorised access to his laptop or he has compromised this sensitive information to some external person. The investigation is still in process and this attack could not categorised as an external or internal attack, however, for Apple itself, it was an external attack because FBI is a different body and Attack happened to an FBI agent’s laptop although the data compromised was of Apple customers.

In this breach there were 114,000 email addressed were exposed to some external body. The breach was entered through a very different way. In the article, "post tech: security gap exposes iPad information" by Washington Post (2010) has contained that AT&T breach has been exposed just week after an apple employee lost an iPhone prototype in a bar. This iPhone prototype contained a list of email addresses, a list of early adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Co. CEO Janet Robinson to Diane Sawyer of ABC news, even White House Chief of staff Rahm Emanuel’s information was compromised. So this breach could have worst results in future.

On the other hand, Apple has to face a serious problem from its customers. In the same article by Washington Post (2010) is clearly mentioned that relationship between AT&T and apple has been turned into a critical situation because apple customers have been facing a serious network problems from its partner AT&T. Apple customers have already complaining about network congestion problems with the exclusive partner and customers of Verizon Wireless waited anxiously for Apple to strike a business deal with their provider. In this condition, either Apple has to strike the business deal with AT&T or Apple might have to loose their potential customers. This a very critical decision for Apple corporates that weather the company is going to loose its customers or its partner (AT&T). The cost of loosing a partner or potential customer or brand loss could not be calculated because its effect will come in future sales and then potential cost of this decision of apple (Loosing customers or partner) could be estimated or calculated. On the whole one thing clear from this article that, this critical situation is going to sue Apple for Millions of Dollars, if Apple corporate are unable to find an another way around or if Apple is unsuccessful in convincing their customers.

FBI disclosed breach incident in June 2010.

Personal information of 114,000 AT & T customers has been exposed.

The hacker group name was Goatse Security.

4th Sep. 2012, FBI inspector writes on his blog that an app developer released 12 million device ID’s to the FBI. Olson, P. (2012, p19-19)

FBI probes Apple iPad security breach., (Anon., 2010).

4.4.2 Case study – 2 Sony

Background

Masaru Ibuka and Akio Morita founded Sony in 1946 and initially it was called Tokyo Tsushin Kogyo, which means Tokyo Telecommunications Engineering Company. Automatic rice cooker was their first innovation. It was not that successful but it was the first in the long line of innovations, which is continuing today. Ibuka and Morita realised that they need a global name to represent the company at the global level. Another company was already using TTK, so a new name Sony was conceived. Later on the name was changed to Sony Corporation in 1958. Sony’s UK history was begun in 1968, when Sony United Kingdom was founded in London. Gibney Jr., Frank (1997, p52)

Breach incident

This breach incident was an external attack. One of the Sony employees accessed a fishing email and as he/she tried to open the link, contained in that email hacker abled to steal his/her user name and password. It is possible that hackers sent a fishing mail to several employees in Sony, so that one of them could be victimised and the hackers were successful. So this was an external attack, in which hackers able to get employee’s username and password and then they accessed the server. The employee has been attacked was from the administration department of Sony online entertainment services and he/she has the access to sensitive information. After being successful in this external fishing attack hackers accessed sensitive information from Sony’s server as an authorised access by using an administrator’s username and password. As per the article it was a planned attack. Hackers had planned to acquire username and password through a fishing attack and so they did. After this they accessed sensitive information from Sony server. So it was not an accident it was a fully planned attack. (Baker L.B. & Finkle J., 2011)

Sony admits a data breach in their online gaming system called Sony PlayStation. The incident was happened in between 17th to 19th of April 2011. Sony has announced that it has 77 million Users till 30 March 2011. Sony announced that names, addresses, and possibly credit card numbers of 77 million customers have been compromised. The breach sued Sony in a different way that the company has responded to customer about the breach after a long delay of a week. A week time for the person whose personal information has been compromised is too slow response. This is why Sony lost the faith of their customers and company had a large breakdown in sales.

Sony would have been sued for £500,000 for this security breach because the ICO (Information Commissioner Office) has the power in UK and Ireland to put the fine on any company for this much (500,000). In this case Sony is lucky, in the same case the News was that hacker way have stolen the personal information roughly 32 million customers in Europe. This might be the one strong reason for he European Commission to put fine on Sony in stead of this the spokesman for the EU justice Commissioner said that they will modernise the rules dating from 1995 and expend them to online banking, online shopping or the personal data protection. Banham, R. (2012, Pp14-14)

Sony said that in response to breach they are moving the data center and network infrastructure to a new secured location. This operation will cause a large cost for Sony and of course a lot of loss in respect of customer perception, will go down, which alternatively effect the future sales. Revenue will be less then the usual and no growth for few years.

Meantime, Sony apologise for the breach incident and their spokesperson Mr Hirai said that, "the steps Sony as taken in response includes additional software monitoring, enhanced level of data protection and encryption, enhanced ability to detect software intrusions, implementations of additional firewalls, a plan to move to a new data centre with enhanced security and appointment of the chief information security officer". At least two lawsuits seeking class action have been filed in San Francisco and Toronto, Accusing Sony of negligence for failing to prevent the attack and taking too long to inform the customers. All this, sued Sony for millions of money. Greenwald, J. (2011,Pp1-21)

Key Impacts

Sony is one of the leading companies and this data breach has a great impact on the good will of the customers. In May 2011, this breach incident was breaking news throughout the world, on every Radio and TV channel, Newspaper, and of course by word of mouth. This incident has been through every business mind and customers of Sony all over the world, company has received thousands of calls from their customers during two months after the breach. This was the critical time for Sony, because breach incident has had a serious mind changing impact on customer’s mind and its competitors have become more active then usual for example Apple, Samsung etc. Sony reported Stock Information (2011) on their website, that the annual share price at Tokyo stock exchange for Sony shares fell down 49% during 2011, after this breach incident. This was the biggest decrease in last five years in Sony’s share prices and this decrease was million Dollar impact of security breach on Sony on Sony sales. Even shared holders decreased from 761, 242 to 691, 901 in 2009 to 2010 respectively.

From the analysis of breach it is clear that approximately 77 million records had been compromised which includes the financial information as well. These 77 million customers might need to reissue their credit/debit cards from the bank and this large amount of digital cards really take millions to reissue. So alternatively Sony breach would have been sued banks to reissue banking cards, if Sony hasn’t announced that Sony will repay banks for issuing banking cards o their customers. This impact is also another big loss to company.

Breach incident was executed in between 17th to 19th April 2011.

77 million records compromised.

ICO has the authority to fine maximum of £500, 000 to Sony for this incident.

Loss in sales because PlayStation servers had shut down immediately for an unspecified time and company lost customer faint as well.

Sony agreed to pay to banks for card reissuing cost; it will be really a large amount of money to reissue almost 77 million bankcards. Hernandez, W. (2011, p12)

How Sony convinced it shareholders and customers

On Sony’s Investor Relation Website, (Sony, 2011) company has announced on May 3, 2011 that there is some kind of intrusion has been found in Sony Online Entertainment LLC (SOE) on May 2nd 2011. Sony announced that the investigation is still going on with he help of FBI. Sony didn’t committed that this amount of information has been compromised; they said that information of 24.6 million accounts might have been stolen because investigation is still going on. So this was a smart announcement to keep the shareholders and customers calm down.

After this Sony announced some incentives while apologizing for the inconvenience. The incentive includes: -

30 days additional time on their subscriptions and in addition one day for each day the system was down.

An addition "Make Good" plan for the extra security of PlayStation3 MMOs.

For shareholders and customers company announced free assistance to each customer who wants to restore personal information and assistance in enrolling for identity theft protection services and/or similar programs.

Another commitment Sony made in this press release that once the investigation has been completed, company will inform the affected customers by sanding an email. Till then Sony suggested customers to be aware of any phishing email, letter or phone call and not to give any personal information if some letter, email or phone call asks for their personal information.

In an Another News Release by Sony Corp. Info (2011) announces a big relief to its customers that company is going to start restoration work and some new security software to enhance the security of personal data of valuable customers. It was another big step by the company to assure security to the shareholders and customer’s personal information in the future. In the same article, company created a new position Chief Information Security Officer to prevent such a critical incident in future. This additional position will be responsible for time-to-time security software update, enhanced level of data protection and encryption, and enhanced ability to detect software intrusion, unauthorised access or activity patterns and implementation of addition firewalls. This is how Sony convinced its shareholders and customers and kept their faith. Company offered a "Welcome Back" program to convince the customs and to thanks them for their patience, support and continued loyalty, the program includes the following services for free: -

Each territory will be offering selected PlayStation contents for free download.

All existing PlayStation customers will get 30-day free membership in PlayStation Plus Premium service.

Qriocity subscribers will receive 30-day free music download service.

Even after these all-possible efforts to convince customers, company had to bear a great loss in sales.

4.4.3 Case study – 3 Epsilon

Background

In the article, "The Epsilon hack attack: time for "SOX for customer"?" by Savitz, E. (2011, p33) explained that, Epsilon is a subsidiary of Alliance Data Systems Corporation. Epsilon is an email marketing firm, that sends more then 40 billion emails a year. Epsilon is believed to store more then 250 million email addresses in its database. Most of its clients are corporates such as Kroger, Walgreen’s, Marriott Rewards, Ritz Carlton Rewards, Capital One, Citibank and many other international companies/firms.

Breach Incident

The breach incident has been recorded on 30th march 2011 in Dallas-based Epsilon Management L.L.C., and it is still unknown that how it was accomplished, what parties involved. Epsilon admitted that only 2% of the database is invaded, but dozens of major companies across the variety of industries responded their customers by email to notify them of the breach. The companies include Citigroup Inc., Capital One Financial Corp., JPMorgan Chase & Co., 1-800-Flower.com Inc., Best Buy Co. Inc., L.L. Bean Inc., and Target Corp. Meanwhile the Epsilon denied discussing anything about cyber attack except to say it was an "unauthorised entry". In an email statement Epsilon said, that "the information compromised includes only email addresses and/or names of the customer and no harm unauthorised access to sensitive information has been recorded till now".

When any information has been compromised, problem does not stop with the customers, for example the RSA incident occurred after an employee opened an email attachment containing or hiding a malware, According to Litan. So as per this information it is possible that if the email addresses has been stolen by some hacker then, "Fishing" attack may occur after a long time, may be after few years, when the person has fully forgotten the breach incident. This might cost anytime to the person whose information has been compromised. On the other hand, "the Visa Extra program is unaffected," Visa said by email. "Because visa takes security and protection of account holder information extremely seriously, all the database, applications and servers maintained by Epsilon for the Visa Extras programs have always been completely separate systems, and thus were not in any way involved in the march 30th incident." Quitten, J. (2011, Pp1-10)

Key Impacts

Epsilon breach incident was an unauthorised access to their server. Some hacker group tried to break through the security system and they were successful. In the same article by Quitten, J. (2011, pp1-10) Epsilon spokesperson declared, "it was an unauthorised access" this means that it was an external attack.

Another big impact of the data breach is that Epsilon has many corporate clients, for them Epsilon does Internet marketing. These corporate clients are multinational companies, are very conscious about data security. Some their clients have strike down business with Epsilon and this means loss of millions for every coming year. In the article, "Alliance data plays down impact of Epsilon breach" by Fitzgerald, K. (2011), that Alliance is trying to convince its clients that there is no big impact of this breach on company. "Email volumes have largely remained at expected run rate" Heffeman said, nothing Alliance data is putting "all hands on deck to continue our efforts to rebuild any damaged client relationships." This clears the doubts that Epsilon breach has a great impact not only to Epsilon, even to the whole parent company called Alliance Data Systems Corporation. Epsilon, as I said already that it provides the online marketing services to other international companies, for this purpose the personal data of customers of these international organisations has been stored on Epsilon servers. Epsilon uses this data like customer names; email addresses, usernames, passwords and credit/debit card information of millions of individuals for online marketing e.g. mailing to customers on behalf of any particular client company on daily, weekly, monthly or yearly basis. This whole data on Epsilon servers is very sensitive and Epsilon is responsible for the security of this data. After this breach the data has been exposed to some third party and client companies might have great risk of loosing customers after being exposed customer’s sensitive information. So some of the multination companies decided to strike down business with Alliance Corp., and to assure the full security for that sensitive information of customers they need higher security barriers.

In the same article, by Fitzgerald, K. (2011) mentioned that Alliance has started to install number of new security layers to its Epsilon Online Marketing operations. Company has decided to build "Fort Knox" around it. "Even if it means making the enhanced system, a little less user-friendly and little less flexible," said Heffeman. These might also increase the cost level for the company just because of this Epsilon breach incident.

Epsilon has some corporate clients and maintaining some databases for them, which contains sensitive information related to their clients. Epsilon attack didn’t have a direct economic impact on the company, still the Epsilon attack could similarly hurt the other corporate companies and the hacker could easily trace their corporate information behind the firewall of those companies. The can attack the domains by searching through email addresses they have stolen. This attack might be a less serious attack for the Epsilon itself because only names and email addresses have been compromised, still this attack could be the reason of a large and most serious data breach in future for the clients of the Epsilon and could cause million or billion dollar loss to other companies in future. Other customers may also be a victim of a "Fishing attack" any time in near/long future. Quitten, J. (2011, pp1-10)

Key points: -

Data breached on 30th March 2011.

2% records of total database have been compromised.

At the moment Epsilon has minimal impact on its marketing operation but compromised data may lead to a serious cyber attack on its clients in future.

Potential client loss, Epsilon has lost some potential clients or corporate client companies by Johnson, A. (2011, p11).

Investor relations

Regardless of anything else the most critical thing is to convince the customers and shareholders after such a data breach. Alliance (parent company of Epsilon) took some really some intelligent steps e.g. as soon as they got to know that there was an unauthorised entry in their database, they spread the news on News networks so that customers could be saved from any phishing attack. Even the information stolen was not that critical because only email addresses and customer names were stolen and no other personal information was compromised. In the same article by Nable J. (2011) Epsilon announced that company is making every possible effort to secure customer data in future and earn the lost faith of its shareholders and customers. Epsilon announced that company is implementing some new protocols and security software to strengthen the security system. Alliance, the parent company also apologised for the inconvenience, to gain the faith of customers company also assured customers that whole compromised information will be restored to minimise the risk and this whole process will be free of cost. Company announced that each customer who wants to restore his/her personal information would be provided free assistance in the process. "We fully recognise the impact this had on our clients and their customers, and on the behalf of entire Alliance Data organisation, we sincerely apologize," said Haffernan, chief executive officer Alliance Data.

CHAPTER FIVE: DISCUSSION/ANALYSIS

5.1 Introduction

The research findings of this dissertation investigation provide valuable insights into the information security policies, computer security breach incidents, and security measures that exist in firms of various sizes throughout the world. The implications of this dissertation investigation to data breach policies and practices are significant. The body of knowledge pertaining to data breaches incidents and preventive policies has been expanded by this dissertation investigation in critical respects. The mixed research approach has been taken in this research so results from primary and secondary data has been presented in the chapter above (Findings). Now we discuss that what we have found from whole research. In primary research we conducted two surveys, one from customers and another from employees for digging deep to answer the research questions. The discussion chapter is divided into sections to clearly discus all findings as follows:

5.2 How Data Breach Happens

As we see in chapter 2 it is clear from the previous data breaches that 45% data has been lost through stolen computers, thump drives, phishing attacks and other catastrophic happenings. And 5% data records has been compromised because of employee disloyalty, it means someone sold critical information to outsiders. And again it has been cleared by employee survey that 5% has selected employee disloyalty factor as a reason of Honda Canada Breach.

5.2.1 Honda Security System

Internet was found as main suspect in this breach incident. Internet is a collection of interconnected computers or machines throughout the world and these devices are connected to each other through LAN (Local Area Network), MAN (Metropolitan Area Network), WAN (Wide Area Network) etc. In this research we found that there are 80 ports/doors in a computer system through which a computer system could be accessed/hacked. Honda security system was not that good as cleared through customer survey. As shown in findings that 57% customers are not satisfied with Honda’s Online Security System. Even Honda declared that new security software is being installed and firewall system is being doubled this year still customers are afraid of being fooled again by some hacker group. Because of this incident Honda can loose 50% (Approx.) of its future demands for next year.

5.3 Direct Breach Impact

After summarizing the whole research from primary and secondary resources, we found that this incident will affect brand power ore then direct financial losses or lawsuits. Such kind of security breach News can make company’s perception down into the eyes of its loyal customers. Honda’s 57% customer are not willing risk their personal information on MyHonda and MyAcura sites. Regarding future business it is clear from customer survey that 66% people are not thinking of Honda either they have postponed their further purchases for a long time or they have changed their mind and now they are looking for other alternatives. We can’t assure that they will get back to Honda but it is clear that company has to bear at least some losses in coming year. Even company might face some lawsuits in near future because as per the customer survey that there were 18% people has committed that their personal information has been compromised and now hacker group can send phishing email or letters to obtain another much critical personal information on behalf of company from customers. This could again lead to an indirect cost to company. This was a cost that could affect company in near future. We have some similar cases in the past so we can calculate cost of this breach by comparing and calculating the cost occurred in past cases. As we can see in Literature Review chapter that each compromised record costs $214, So Honda could be sued for $59,920,000 for compromising 280,000 records, which is relatively high amount.

On the other hand Honda is expanding its training programs by making each security workshop/seminar mandatory for everyone. Honda is also tightening the firewall security and enhancing whole security system by doubling the previous security measures. New software and license specification will be installed and system will be fully updated form now on. This whole will cost a lot and it is clear that Honda announced an investment of CAD $206 Million to enhance the security system. For the measurement of breach impact we critically analyzed some old cases and facts are as follows:

5.3.1Critical Analysis Of Similar Cases In Past

Hidden Cost

The case of Honda Canada is very similar to the cases that are mentioned in the findings section. It could be derived from Apple case study that Honda might have some late lawsuits from the customer who’s data has been compromised and might get victim of a fishing attack later on. Honda Canada have to pay some hidden costs for this breach as well which included installing new security software for data protection in future, securing the email services and training of employees against any fishing attack in future and most important banks may sue Honda for reissuing credit or debit card to the customers of Honda. All this kind of cost could be considered as "hidden cost", because as per the other breach cases such kind of costs have already hit the companies like Sony and Epsilon. It could be derived from Sony case study that banks may sue company for reissuing bankcards to customers who’s banking information has been compromised. Sony already agreed to pay for reissuing bankcards. It is possible that it is a same hacker group, which hacked Apple, Epsilon and Sony, because these all-major breaches happened one after another consecutively in almost one year. Honda breach might have a connection with Sony and/or Apple and/or Epsilon breach, because in all hacker groups have some how linked with the Anonymous Group. It not yet been proved but experts have estimated it that all these major breaches/Hackers might have same parent hacker group. Honda breach has compromised 280,000 individuals’ records, which is relatively a very large number of records. For example if somebody will have filed a lawsuit against Honda Canada then company might have to bear a great cost of this breach incident. The cost occurred to monitor each record online is $29.95/year, and this will cost CAD $8,386,000 to Honda for monitoring these compromised records each coming years. So there are so many invisible costs that could strike Honda for millions of dollars. Honda Canada case is similar to these cases above. It could be derived from Apple case study that Honda might also have some late lawsuits from the customer who’s data has been compromised and might get victim of a fishing attack later on. Honda Canada have to pay some hidden costs for this breach as well which included installing new security software for data protection in future, securing the email services and training of employees against any fishing attack in future and most important banks may sue Honda for reissuing credit or debit card to the customers of Honda. All this kind of cost could be considered as "hidden cost", because as per the other breach cases such kind of costs have already hit the companies like Sony and Epsilon. It could be derived from Sony case study that banks may sue company for reissuing bankcards to customers who’s banking information has been compromised. Sony already agreed to pay for reissuing bankcards. It is possible that it is a same hacker group, which hacked Apple, Epsilon and Sony, because these all-major breaches happened one after another consecutively in almost one year. Honda breach might have a connection with Sony and/or Apple and/or Epsilon breach, because in all hacker groups have some how linked with the Anonymous Group. It not yet been proved but experts have estimated it that all these major breaches/Hackers might have same parent hacker group.

Assuring Customers

It will be safe to state that the cost for Honda is pretty invisible at the moment, however still the company will have to spend millions to mitigate the impact of the breach by making positive perception in their customer’s mind though providing/granting full assurance of data protection. It could be derived from above case studies that companies have to spend more on tightening the security system, which could cost million, for example Sony beard the cost for shutting down the PlayStation Server immediately and then restore process begun which takes a large amount of time may be weeks/months and Sony spent millions for securing the user data in future, same in Epsilon case.

Corporate Loss

As from customer survey it could be derived that Honda lost 66% of its potential customers so another big loss that Honda might bear is loss of potential corporate customers. Those customers are like clients in foreign countries and always work as suppliers/hosts in foreign countries. Such clients are responsible for millions of revenue each year. For example in Epsilon case, company has lost its some very powerful corporate level customers after the incident happened. Epsilon lost some of its client companies, which were paying relatively a large amount of money every year to Epsilon for secure worldwide mailing service of Epsilon. One corporate client loss turns into loss of million Dollars and it has been disclosed that many corporate clients left Epsilon. Epsilon admitted the loss of million in an indirect way. Similar kind of loss could hit Honda Canada as well but in a limited scope because Honda doesn’t have too many corporate clients like Epsilon. On the other hand Honda has a large number of clients all over the world.

Alternatively, breach will leave a minimal impact on the economy of Canada as well because Honda stands as one the strong companies in Canada. The impact could be minimal on Canadian economy but if Honda sales/revenue goes down then it will definitely have an impact on Canadian economy.

Articles skimmed through at the literature review section strongly indicate that such cases of data breaches might not be of a great financial loss to the company that is affected by it, however it might have other repercussions that are dire. It is imperative for an organisation to have the confidence of its stake holders that also include the customers and share holders of the company. Such incidents can lead to a big dent in the confidence of the stakeholders towards the company. Moreover, lack of confidence and any further breach can result them to withdraw their stakes from the company and can hurt the company’s interests. Additionally, in a very competitive automobile market, the competitors of Honda Canada might use such breach incidents to their advantage and can gain a upper hand in the market. More often in today’s world of social media, word of mouth spreads faster than fire and can natively motivate the Honda’s loyal customers to shift their faith towards other automobile competitors in the market.

Following diagram depicts the whole situation including Direct and Indirect Impacts to Honda after this breach:

Figure TOTAL BREACH IMPACT

On the whole breach impact on Honda Canada could be millions, although, breach doesn’t have any direct impact but it might cause a lot bigger indirect cost to Honda Canada. Alternatively, breach will leave a minimal impact on the economy of Canada as well because Honda stands as one the strong companies in Canada. The impact could be minimal on Canadian economy but if Honda sales/revenue goes down then it will definitely have an impact on Canadian economy.

CHAPTER SIX: CONCLUSION AND RECOMMENDATIONS

6.1 Introduction

This chapter articulates the conclusions drawn from the researcher’s analysis of primary data that includes two Surveys and secondary data of three different case studies. In this part we try to answer the two research question which were asked in the first chapter of this research work, which are as follows:

1) What are the possible economic impacts of data breach to the economy of Honda Canada?

2) What measures should be done to counter the impact of data breach?

Moreover, this chapter reviews the contributions of this research to the body of knowledge relating to data breaches and computer security breach incidents. Recommendations for future research are also provided.

6.2 Conclusion

6.2.1 Possible Economic Impacts To Honda (1st Question)

After summarising the whole case it is clear that breach incident has a great economic and brand name loss after this unexpected incident. The 283,000 customer records have been breached and Honda sued for CAD$ 200 million (US$ 206 million) to counter the breach impact. Not even this cost, Honda has a great brand name worldwide but after this breach the perception of the company has been degraded. Customer survey and Employee survey has made it clear that company’s perception has gone down 66% because of limitations in training programs and lack of interest in security measures in the past. Gradually as the news spread, customers (existing and new) have changed their decisions about future deals. There is a matter of concern that the security system of this multinational company has proved really week. Breach incident costs Honda Canada a lot but still company is running in profit. This means breach cost has cut a large part of the profit.

The culprit/suspect of the breach is still safe, no arrests have been reported till now and the investigations are still going on. Honda seems to be very silent on this question to find the culprit. The data of 283,000 customers has been stolen and no culprit found and no arrests have been made. It is not in the Honda case, investigation has cleared that in last two years there are number of data breaches has been reported but no arrest regarding any breach has been reported till now. Canadian government has changed the information security law in 2009 and still Canadian government seems to be helpless in finding the breach suspects.

6.2.2 How To Tackle Breach Impact (2nd Question)

In respect to counter the impact of the breach as soon as breach has been detected Honda should have moved to the notification process, but this wasn’t happen in Honda case, as per the facts collected Honda issued first notification in French language on 13th May 2011, but the breach was disclosed in March 2011. It was a biggest mistake by Honda and company has cleared that this delay was to figure out the scope of the breach, that how many customer’s records has been compromised and what kind of data has been compromised. After the breach scope has been figured out, Honda notified all those customers whose records have been compromised. This delay was approximately of 2 months and these two months sued Honda Canada for CAD $200 million. This was a direct investment by the company to pay the claims filed by the customers in the court and to reassure security services again.

Honda Took Steps To Counter Breach Impact

Honda is a multinational company and company took some appreciable steps to minimise the impact of the breach. One of them is reassuring customer data security by installing new software and double firewall security on its server. Honda announced on its Investor Relation Website that company will be fully responsible for security and safety of customer data in future and anyone can claim from company if it happens again in future. Company tried to convince its stakeholders and apologised for inconvenience and to stay calm while company investigating the matter hard. This was a big relief for Honda customers and this is how Honda tried to restore customer’s faith in company. Another step was that Honda announced that any letter or email claiming personal information (Bank detail, address, name, telephone No. etc) on behalf of company or VIN, no need to reply and immediately consult with company. These two announcements were to big steps from company to protect customers from phishing attacks. To avoid such kind of incidents in the future Honda Canada or any other organization should follow the recommendations suggested below.

6.3 Recommendations

6.3.1 Preventive measures of data breaches

After encountering such a big incident, it is not easy for any organization to counter the impact and to convince the customers to stay with the company. As mention in some article in literature review chapter that Honda notified the customers very late that one customer has received first notification letter on 13th May 2011 but breach was disclosed in March 2011. So it was already a very late response from Honda Canada (Vijayan, 2011)

Every multinational/national/dealing through internet should have following security measures installed:

Firewall Protection

Kerberos Authentication

Certificate Services

Encryption File System (EFS)

IP Security

Spam Blocker

Authentication

Authorization

Anti-virus Software

The first step to take after such a serious crime is to turn off the server or machine, which has been breached. Honda has done the same, as soon as breach discovered Honda turned the server system off. This must be a first step because when any computer machine has been hacked then it means someone has got an unauthorised access to machine and to turn the system off is an only and efficient/fast solution stop the hacker from stealing data anymore. This is the only way to get rid of situation very quickly. Honda Canada was efficient regarding this step because as soon the breach has been disclosed, Honda turned the server to off mode.

The second step to counter the Impact of the breach is to notify customers as soon as possible, those are being affected by the breach. This step should be in consideration as soon as possible, so that affected customers could be saved from being trapped by the hacker. When any personal data has been stolen then it doesn’t mean that only Bank account number, credit/debit card number, or password is only an important information because names, addresses, security numbers (VIN), and telephone numbers could also be used to trap someone for example Honda uses VIN numbers to send mails, letters or to make calls to customers regarding any future deal, offer or another conformations and conversations, so same like company a hacker can send a trap email on the behalf of company using the stolen VIN. Customer would trust that letter because only customer and company know the VIN number. To save customers from being trapped through a suspicious mail or letter it is very important to notify the affected customers about the incident properly. Honda proved to be failed in notifying the customer soon. In the article (Vijayan, 2011), the breach was disclosed in March 2011 but first notification letter received by the first customer on 13 May 2011. Honda reacted very lazily on the breach incident. During this time from March to May Honda was trying to figure out the scope of the breach. Honda was trying to figure out that how many of customer’s records have been compromised, so that only those customers could be notified those are affected. During this long period of time many Canadian customers might have/have been trapped by the hackers.

Honda felt apology for the whole breach incident and for the late notification also. In the article, "Honda apologizes for the breach at Canada unit" by (Boston.com, 2011), has cleared that Honda has really ashamed from this incident. Honda also notified that VIN’s is the only important information has been stolen and credit/debit card no., bank account numbers, and telephone numbers are still safe at Honda server and have not been compromised. Only VIN numbers are the most important information that has been compromised.

4. Security is another step to for, making sure that proper security measures has been applied on whole information system so that such kind of incidents could be avoided and customer information is secured. Once Honda has permitted the customers to register or make account on MyHonda and MyAcura website then it was a Honda responsibility to secure the confidential information of the customers. Because of week security System Company is bearing the direct loss of investment of CAD$ 200 million (US$206 million) and as well indirect loss of invaluable brand loss. Honda is expecting a recorded loss on future sales at Canada Unit. The incident had left a negative influence on the minds of the customers; most of the customers have changed their mind about the future deals with Honda Canada. So for removing the little burden from the minds of the customer their data should be secured in the future and company must have to strengthen their security system. Investigation is very must for the finding the suspect and to find out the week security point so this week could be strengthen to avoid such incidents in future. This is really confusable in this case that real suspect or week security point hasn’t been disclosed. Company gave the reason behind it that "some hacker group sent a spam email containing a suspicious link and its been accessed by some employee and then his/her ID and password had been hacked. Hackers use this ID and password to breach into Honda server".

In this whole incident its really strange that investigations has proved unable to find the employee name whose ID has been hacked and also unable to find that how hackers had able to hack into Honda server by penetrating the Silverpop security. Means Silverpop might be a suspect in this case. Even investigations are still going on but company hasn’t discovered the week security point.

To convince the customers whose personal data had been stolen, Honda should allot new Vehicle Identification Numbers (VIN) to each customer so that they feel secured for the further communication and also new ID’s and passwords for their online accounts. This action will create sympathy between company and its customers. Furthermore, Honda should go for awareness about newly applied security system through a campaign making understand customers that it was just an accident and it could never happen again data is secured now. Honda should go for compensate to those customers, whose data had been compromised in this breach. This compensation action will create loyalty of customers for Honda Canada.

Further company should help customers in getting rid of this fearful situation by keeping their personal information in a fully self-controlled server with extra security systems. Honda Canada should not depend on Silverpop for the security of personal information of customers. It is not much harder for such a large multinational organization to have a own server and communication channel Just for one server system. So that data could be fully secured. Suppose in this breach if hackers would have been able to stole the bank account numbers or credit/debit card numbers then company would have been gone bankrupt till now because in the meantime Honda has notified the customers, hackers would have robbed the billions of dollars from the stolen customer account numbers and Honda would have to bear the whole claim of this incident. This situation may lead to bankruptcy. Experts can actually understand the cost of this situation and they would suggest the same for company to own their own self-controlled server. Because security