Monster Breaches Do Monstrous Damage

Bitglass has looked at the top three data breaches of the last three years, and found that a drop in the victim's stock price post-infection was one of the effects.

Their report, Kings of the Monster Breaches, examined the Marriott breach of 2018, the Equifax breach of 2017 and the Yahoo! breach of 2016. These top three breaches affected a mean number of 257 million individuals directly.

The cause of the breaches was external cyber attacks, all of which leveraged phishing, malware, technical vulnerabilities and more. So far, these breaches have cost their individual companies an average of $347 million in legal fees, penalties, remediation costs and other expenses.

After being breached, Bitglass found that the enterprises suffered an average 7.5% decrease in stock price. This leads to a mean market cap loss of $5.4 billion per company. In comparison, the S&P 500 decreased an average of 0.17% over the same timeframe.

Equifax's stock price has not yet recovered, but the other two took an average of 46 days to return to their pre-breach levels. In Marriott's case, unauthorized parties gained access to the reservations that were made between September 10, 2018 and possibly as far back as 2014.

Marriott found out about the existence of the breach while it was attempting GDPR compliance. GPDR is now fining Marriott $912 million. Marriott experienced a 5.6% drop in share price following the breach. There are multiple lawsuits pending about the situation.

Yahoo's 2016 breach is almost unimaginable in its size. There were two breaches reported. In September of 2016, 500 million users were found to have been breached. But that pales in significance against what showed up in December, an attack involving over 1 billion users. Compromised information included PII, which was initially collected in 2014 and used through December of 2016.

Yahoo! spent over $95 million on remediation and legal fees, as far as can be determined. They were also fined an additional $35 million cause they did not disclose the hacks to investors.

The breach at Equifax occurred because of a flaw in unpatched open-source software that was used by the credit reporting company. ("It was on a production machine, we couldn't stop it to patch!" was one of the excuses floating around post-breach.)

Attackers were able to access sensitive data such as Social Security numbers, credit card numbers, full names, dates of birth and home addresses -- all the financial good stuff. Over 143 million people had their personal information impacted by the event.

Worse, it took roughly two months for the breach to be discovered. The company's CSO, Susan Mauldin, and CIO, David Webb, were taken out to the woodshed and "retired" immediately after the incident became public.

The stock got hit hard, too. Shares of Equifax dropped nearly 14% the day after the announcement, and 31% within two weeks.

Over 143 million people had their personal information impacted by the event.

Equifax faced $439 million in legal, remediation, insurance, and investigation costs for the breach.

Breaches cause massive amounts of money to fix, as the report shows. Not only that, the intrinsic value of the victim may be affected in a permanent way.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.