Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

5/21/2019
07:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Monster Breaches Do Monstrous Damage

Breaches cause massive amounts of money to fix, as a new report from Bitglass shows.

Bitglass has looked at the top three data breaches of the last three years, and found that a drop in the victim's stock price post-infection was one of the effects.

Their report, Kings of the Monster Breaches, examined the Marriott breach of 2018, the Equifax breach of 2017 and the Yahoo! breach of 2016. These top three breaches affected a mean number of 257 million individuals directly.

The cause of the breaches was external cyber attacks, all of which leveraged phishing, malware, technical vulnerabilities and more. So far, these breaches have cost their individual companies an average of $347 million in legal fees, penalties, remediation costs and other expenses.

After being breached, Bitglass found that the enterprises suffered an average 7.5% decrease in stock price. This leads to a mean market cap loss of $5.4 billion per company. In comparison, the S&P 500 decreased an average of 0.17% over the same timeframe.

Equifax's stock price has not yet recovered, but the other two took an average of 46 days to return to their pre-breach levels. In Marriott's case, unauthorized parties gained access to the reservations that were made between September 10, 2018 and possibly as far back as 2014.

Marriott found out about the existence of the breach while it was attempting GDPR compliance. GPDR is now fining Marriott $912 million. Marriott experienced a 5.6% drop in share price following the breach. There are multiple lawsuits pending about the situation.

Yahoo's 2016 breach is almost unimaginable in its size. There were two breaches reported. In September of 2016, 500 million users were found to have been breached. But that pales in significance against what showed up in December, an attack involving over 1 billion users. Compromised information included PII, which was initially collected in 2014 and used through December of 2016.

Yahoo! spent over $95 million on remediation and legal fees, as far as can be determined. They were also fined an additional $35 million cause they did not disclose the hacks to investors.

The breach at Equifax occurred because of a flaw in unpatched open-source software that was used by the credit reporting company. ("It was on a production machine, we couldn't stop it to patch!" was one of the excuses floating around post-breach.)

Attackers were able to access sensitive data such as Social Security numbers, credit card numbers, full names, dates of birth and home addresses -- all the financial good stuff. Over 143 million people had their personal information impacted by the event.

Worse, it took roughly two months for the breach to be discovered. The company's CSO, Susan Mauldin, and CIO, David Webb, were taken out to the woodshed and "retired" immediately after the incident became public.

The stock got hit hard, too. Shares of Equifax dropped nearly 14% the day after the announcement, and 31% within two weeks.

Over 143 million people had their personal information impacted by the event.

Equifax faced $439 million in legal, remediation, insurance, and investigation costs for the breach.

Breaches cause massive amounts of money to fix, as the report shows. Not only that, the intrinsic value of the victim may be affected in a permanent way.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...