They say when industries go nutty with consolidation and high-dollar M&A deals, the only folks who really make money are the bankers and the lawyers. Shareholders end up holding the bag, but these folks have moved on to the next deal.

Given all the recent retail sector breaches (there are too many to even link), let’s take a look at who is going to profit. Mostly because we can. The forensicators are first in line. They are running the investigations and figuring out how many millions of identities and credit cards have been stolen. The next group feeding at the breach trough are the credit monitoring folks, who get a bulk purchase agreement each time to cover consumers who were compromised this time.

The crisis communication PR folks also generate hefty bills. Customers are pissed and the retailer is on the evening news – not for the new store design. The company needs to start driving the message, which means they need PR heavies to start spinning like a top. Ka-ching.

Of course security vendors win as well. There is no time to grab security budget like right after a breach. Senior management doesn’t ask why – they ask whether it is enough. Every security salesperson tells tall tales about how their products and services would have stopped the breach. Who cares if the offering wouldn’t have made a difference? Don’t let the truth get in the way of the new BMW payment! It’s a feeding frenzy for a few quarters after the breach. Sell, sell, sell!

But it doesn’t end there – lawyers always get their piece of the action by launching a variety of class-action suits against the retailer. We haven’t yet (to my knowledge) seen a successful judgement against a company for crappy security resulting in lost identities, but it’s coming. Although it is usually just easier to settle the class action rather than fight it. The lucky winners in the class action might each get a $5 gift card. The lawyers walk away with 20-30% of the judgement. Yes, that’s a lot of gift cards.

Internally the company needs to make sure this kind of thing doesn’t happen again. So they fire the existing CISO and look for another one. Then the security recruiters spring into action. The breached retailer is looking, but many others will either try to fill their own positions, or perhaps decide to make a change before they find themselves in the same unhappy place. Of course the new CISO had better take advantage of the first few quarters during the honeymoon, with a mandate to fix things. Lord knows that doesn’t last long. Soon enough retailers always realize they are still in a low-margin business, and spending on security technology like a drunken sailor hasn’t helped sell more widgets. But that flyer in the Sunday paper offering a 35% discount sure did.

Finally, let’s not forget the shareholders. You’d think they’d be losers in this situation, but not so much. Wall Street seems to be numb to breaches by now. The analysts just build the inevitable write-down into the model and move on. If anything it forces companies to button down some leaky operational issues and might even improve performance.

Of course the loser is the existing CISO and maybe the CIO, who get thrown under the bus. But don’t feel too bad for them. They will probably write a book and do some consulting while they collect the severance package and the road rash heals. Then they’ll get back in the game by being candid about what they learned and how they will do it differently next time.

We have all seen this movie before. And we’ll see it again. And again. And again.

Photo credit: “Pigs at trough, 1927” originally uploaded by King County, WA