How Much Did Recent Hacks Cost Retailers?

IoT Powers DDoS Attacks

This wasn’t the Black Friday retailers expected.

We’re not talking about the venerable day after Thanksgiving — nothing that sunny. We’re talking a bit dark here — as in the internet going dark. Cyberattacks that targeted server farms last week operated by Dyn Inc. took down a spate of some of the biggest online firms out there, including PayPal, Netflix, Twitter and Amazon.

Among the barest bones of facts: There were three waves of denial-of-service attacks through the day that slammed servers with excess traffic, so much so that users could not access those sites, and the ripple effect extended from the U.S. into Europe. The surge of data stemmed from millions of internet-connected machines, including webcams and other household devices, such as thermostats. The culprits? A group calling itself the New World Hackers.

The end result? People couldn’t shop. The first attack stretched from about 7 a.m. Eastern in the United States and lasted roughly two hours. Then, the second wave hit data centers located outside the U.S. and hit sites, like Etsy and eBay, and retail operations hosted by Shopify.

It’s hard to know just how long, cumulatively, sites were down, as anecdotal evidence trickles in. Some sites were down for short stretches, others for longer. But in examining what might be in store — should it happen once, it could happen again — consider the impact to those sites that rely on transactions for their lifeblood, as in revenues. Some media sites were knocked offline, but by and large, they rely on subscriptions for their business model.

But a number of retailers have a hybrid model in which subscriptions and transaction-dependent sales exist side by side. And it is the latter revenue stream that could suffer in an outage. That might be the case for a firm such as Shopify, which is based in Canada and which has subscriptions and merchant solutions. Merchant solutions, as defined in the company’s latest 6-K (for June, as the Sept. 2016 quarter has not been released yet), are defined as payment processing fees generated on a transactional basis.

How much is the impact for Shopify? We’re going to take a stab at it, and as some say, it’s better to be generally right than precisely wrong. To be conservative, we’ll use historical data (even though eCommerce firms, by and large, have been growing, well, like wildfire).

Consider that about 59 percent of Shopify’s business came from the United States, and the latest quarter showed up at roughly 49 percent of the top line at $42.9 million for the total segment. That would imply 59 percent of the $43 million comes from the U.S., and with 90 days in the quarter, that comes to roughly $281,900 daily. Transactions can take place all day long. So, on a 24-hour basis, the revenues here are a bit more than $11,745 an hour. Let’s assume three hours lost. That’s more than $35,000. Not much in the context of the millions of dollars generated across the business as a whole. But it gives some sense of how a prolonged outage (many hours, several days?) might hurt.

Similarly, take Amazon. The eCommerce giant has said, and news outlets have reported, that 15 percent of total U.S. consumer sales, all in, come through Amazon, for about $125 billion, as noted by USA Today. That’s annually. And the annual tally, divided by 365, equals about $34 million, each day. Let’s say, again, that three hours of transaction-related revenues were lost. That comes to nearly $43 million lost. Again, not a huge amount, relatively speaking (though, as an absolute number, it ain’t bupkus).

Consider again how much a prolonged outage might take — and one during the all-important holiday shopping season — and suddenly, the Internet of Things might start to look like the Internet of (Very Bad) Things.