Nearshore Americas

When Cyberattacks Happen, How Much Damage Do They Cause for Outsourcers?

Beyond the hassle and the unwanted media attention, cyberattacks can be quite costly for BPOs.

Cybersecurity is a growing concern for practically all industries. BPOs, though, find themselves among the most vulnerable targets. A report by cybersec vendor SentinelOne pointed out that BPOs have become preferred targets of hackers due to the amount of personal data they handle, as well as the comparatively lower levels of protection in their systems. We at NSAM have reported on the apparent rise of data breach-related lawsuits hitting BPOs over the past couple years, a trend that shows no signs of slowing down anytime soon. 

The financial impact of cyberattacks can be measured in several ways: from direct hits to revenue to loss of trust, PR firestorms, fines, legal battles and future investments on cyberdefenses. 

To better understand the variety in damages that can result from a BPO being successfully hit by a hack, NSAM provides the following list of companies who have fallen victims to cybercrime. The list provides information on the attack (when and how it happened), as well as the costs that resulted from it.

A disclaimer: this is not a comprehensive list. The companies and incidents included were chosen due to the availability of the information, sourced from public financial reporting and other SEC filings, as well as media reports. 

When assessing the financial impact of cyber attacks, one should also consider the possibility of “hidden costs”, including undisclosed settlements resulting from lawsuits and unreported ransomware payments. 

Atento

Atento’s Brazilian operation suffered a ransomware attack in October 2021. The company claims to have been successful in detecting the attack promptly and in isolating its systems from further damages. 

Atento recognized, nevertheless, that its revenue for the year was “strongly impacted” by the attack, to the tune of US$46.1 million: US$34.8 million in revenue itself, plus US$11.3 million in “operational expenses/penalties”. The latter includes a US$4 million “probable cash compensation” to its affected customers “related to costs and expenses incurred […] due to service interruption of our services to them”.

“Despite not having made payments of ransom, Atento Brasil incurred expenses related to containing the threat, to implementing a prevention and contingency plan for reestablishing services, and to fines”, the company pointed out in its 2021 financial report

“While service was restored within 72 hours of the cyberattack, the Company was unable to comply with all expected contractual service volumes for the months of October and November, due to client IT and cybersecurity protocols that prevented the resumption of Atento’s services”, it added. 

Such expenses included consulting firms, leasing of equipment, software and infrastructure expenses, fines for delays in collecting tax forms and payroll expenses due to overtime needed to reboot their service.

TTEC

TTEC became aware of an attack on its systems in September of 2021. Though the company launched what it described as a fast and aggressive campaign to curb potential damages to its data and that of its customers, it could not dodge the bullet completely.

The cyberattack caused outages in the operations of TTEC’s clients who used its Engage platform. The hack ultimately cost the company US$13.4 million, which offset its revenue gains for that year, according to the company’s 2021 financial filings

TTEC also mentioned possible investments on cybersecurity of “at least US$6 million in 2022 and beyond” in response to the cyberattack and “certain lawsuits alleging data privacy failures” served during the first quarter of 2022. A class action lawsuit was indeed filed against the company in early 2022, alleging that the hack affected at least 100,000 employees and former employees of the company, exposing their data.

Alorica

Alorica was the victim of an apparent phishing attack in October of 2017. The hackers got hold of the company’s communications systems and e-mailed clients asking for payments related to business with Alorica. The funds were being sent to the hackers’ accounts. 

Express Scripts –a pharmacy benefit management firm and one of Alorica’s customers– sent US$4.8 million to the hackers. Express Scripts asked Alorica to forgive those US$4.8 million in debt, arguing that the payment made was a result of fraud which resulted directly from Alorica’s systems being compromised. 

Alorica seeked coverage for the US$4.8 million loss with its insurance provider, Starr. The provider refused, taking the dispute to court. The judge ruled in favor of Starr, leaving Alorica with a loss of at least US$4.8 million due to the attack. 

Ibex

In August of 2020, ibex caught wind of an attack on its systems, which it disclosed to the public two months later. The company launched an investigation, which showed that the data breach might have led to the access of files which included “information related to individuals”. This group of individuals (whose number was not disclosed) was warned by ibex, who claimed that “there is no indication that any person’s specific information was accessed or misused”.

In its financial report for 2021, ibex assured that, based on internal and independent forensic analysis on the attack, “we do not believe the incident will have a material impact on our business, financial condition, or results of operations”.

However, the company did agree to pay US$2.4 million to settle a class action lawsuit related to the data breach.

StarTek 

StarTek was hit by a data breach in June of 2021. The incident resulted in “temporary disruption to our business that was caused by the threat actors encrypting some of our systems and our precautionary actions to move certain of our systems offline”, the company informed investors in its 2021 annual report.

The attack did disrupt the operations of some of StarTek’s clients, the company recognized, particularly those who relied on a work from home setup for delivery. 

StarTek pointed out in its report that the attack had “some impact” on their revenues and operating income for the year, though it assured it was “not significant” thanks in part to insurance. 

In January of 2022, a class action lawsuit was filed against the company. StarTek agreed to settle later that year. Though a concrete amount hasn’t been disclosed –it’ll depend on how many people manage to successfully claim payments–, the company will have to pay reimbursements of up to US$5,000 to every affected party. According to the lawsuit, almost 25,000 people were affected by the data breach.

Paying Under the Table

One has to bear in mind the possibility of “hidden costs” when it comes to cyberattacks. Companies –even publicly traded ones– are quite conservative about the information they make public after an attack. 

Among the most well guarded “hidden costs” are ransomware payments. Though not outright illegal in the US, federal authorities warn against the payment of ransom after a cyberattack, with some law enforcement agencies implying that such payments could be construed as the funding of criminal activity

“It has been our experience that most victims engage with the threat actors and proceed with some form of payment”— Kurtis Minder, CEO and Co-Founder of GroupSense

There are enough incentives to stir businesses away from paying ransom. Nevertheless, cybersecurity analysts see a mismatch between widely accepted security protocols and actual practice.

“The fact that ransomware attacks keep happening tells us that the crime is profitable. I see a difference between what’s dictated by international protocols, such as ISO 2700, and what businesses actually do”, said Juan Manuel Aguilar, a Mexican cybersecurity expert and observer of the security landscape in Latin America. “To me, there seems to be a lack in information gathering, as well as in the companies’ honesty on whether they paid for ransom or not”.

It’s “very common” for companies to attempt ransomware payments, said Kurtis Minder, CEO and Co-Founder of cybersec vendor GroupSense, in an interview with NSAM. 

Kurtis Minder, CEO and Co-Founder of GroupSense

“Many companies do not report the attack. For those cases, we do not know how many pay and how many do not”, he added. “It has been our experience that most victims engage with the threat actors and proceed with some form of payment. We have heard of cases where the victims just pay what is asked for, but that is uncommon. Most victims engage with a firm to help them negotiate the price lower” 

For BPOs, the incentive for payment is usually higher than for most businesses. Given that they calculate losses of revenue by the hour, a “quick and hefty payout” can be viewed as justified, explained Minder. 

While there are no concrete numbers on how many companies actually pay ransom, there are other signs of payments happening. Ransomware negotiations keep popping up as part of the services provided by law firms and cybersec vendors. Even AT&T has a guide on how to handle the situation. The Treasury Department’s Financial Crimes Enforcement Network (FiCEN) reported that US banks processed US$1.2 billion in likely ransomware payments in 2021, a record number and triple the volume reported the year prior.

Sign up for our Nearshore Americas newsletter:


The air of secrecy might find itself under intense light soon, though. In early 2022, the US Senate passed a bill that would, among other things, press businesses to disclose if they made ransomware payments. The bill has yet to see progress in the House, though.

Cesar Cantu

Cesar is the Managing Editor of Nearshore Americas. He's a journalist based in Mexico City, with experience covering foreign trade policy, agribusiness and the food industry in Mexico and Latin America.

Add comment