What data breaches cost? Three of the world's most expensive data breaches
You know what to do to minimize the chances of having your personal information posted on a hacking forum. You know how to look out for phishing pages, you have an up-to-date anti-malware program, and you only use trusted websites where your accounts are protected with complex and unique passwords. You think that you're pretty much invincible. Unfortunately, that's not strictly true.
Small, poorly secured vendors get breached every day, but the big, powerful Internet companies that have thousands of employees and millions of dollars also fall victims to successful attacks sometimes. And when they do, the shockwave affects everyone from the regular user to the CEO of the attacked company.
Users have their privacy compromised and personal information exposed. Companies, on the other hand, need to spend money on fixing their systems and mitigating the risks after the incident. They need to spend a lot of money.
How big is the financial damage after a data breach?
There is no simple way to answer this question. Commissioned by IBM Security, the 2017 Cost of Data Breach Study involved a total of 419 companies that had been attacked the previous year, and the conclusion was that the average cost of an incident that results in a data leak is about $3.6 million. This is far from conclusive, though.
The bigger the company, the more data it can lose. You'd think that the more data lost, the greater the monetary damage, but again, things are not as simple as that. In fact, a lot of factors are involved. Everything from the nature of the stolen information to the way the company is handling the incident plays a part, and even when you take all this into account, it's still not easy to accurately estimate the financial effects, not least because the costs accumulate over time.
What's more, the financial damage doesn't only translate into the money paid to victims and security professionals who need to clean up the mess. It's also reflected in the reputation of the company and the fact that users are finding it harder to trust an organization that has had a security incident.
The upshot is, an estimate of how much a data breach costs can never be absolutely accurate. Still, if we take a look at some of the big incidents from the last few years, we could at least get an idea of how massive the effects could be.
Uber's 2016 data breach was a particularly ugly story. The hack involved stolen login credentials which, for unfathomable reasons, were put in a GitHub repository. These credentials opened an Amazon Web Service account which contained personal information of about 57 million users and the driver's license numbers of 600 thousand drivers.
When Uber found out about the incident, it didn't behave in the most responsible way possible. Instead of being transparent, it paid the hackers $100 thousand, and the crooks promised to delete the data. Then, Uber acted as if nothing had happened.
It wasn't until a year later that the truth surfaced, and, predictably, the outrage was enormous. The sloppy handling of the breach led to the firing of Joe Sullivan, the Chief Security Officer at the time, and it contributed to the company's valuation dropping from around $68 billion to $48 billion.
It was a lesson in how not to handle a data breach, and although the ride-hailing company is now headed by a new management team, security conscious users will still think twice before creating an account.
It is by far and away the biggest data breach ever recorded, and this makes tallying up the financial damage even more difficult. It is huge, though. Last month, for example, Yahoo! settled a class action lawsuit with its own shareholders for $80 million. A few days ago, the US Security and Exchange Commission slapped a $35 million fine on the Sunnyvale company for failing to disclose the breach. And when the news came out in 2016, Yahoo! was in the middle of negotiating its acquisition by Verizon. In the end, Verizon got a $350 million discount because of the incident.
Plenty more class action lawsuits are yet to be filed, and more money is yet to change ownership. One thing is absolutely certain – the impact from the users' lost trust is immeasurable.
In September 2017, Equifax, one of US' biggest credit bureaus announced that hackers had breached its systems and made off with the personal information of around 145 million individuals. Compared to Yahoo!, which lost all 3 billion of its accounts, the breach doesn't seem so huge. Because the stolen data included extremely sensitive details like Social Security numbers and, in some cases, credit card and driver's license numbers, however, the damage could be just as enormous.
Within about a week, the credit reporting agency's stock lost around a fifth of its value, and at least 30 class action lawsuits were filed against Equifax in a matter of a month. To mitigate the risks associated with the hack, Equifax also offered credit monitoring services to the victims for free. The financial costs are adding up as we speak, and that's without even considering the business Equifax will lose because of the breach.
Experts have done a lot of research on the matter, and companies continue to conduct surveys. Despite this, nobody can say with reasonable accuracy how much money a company will lose if it gets hacked.