Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:00 PM
Marc Wilczek
Marc Wilczek
Connect Directly
E-Mail vvv

Average Cost of a Data Breach: $116M

Sensitivity of customer information and time-to-detection determine financial blowback of cybersecurity breaches.

The authors of the "Trends in Cybersecurity Breach Disclosures" report from Audit Analytics reviewed 639 cybersecurity breaches at public companies since 2011 and discovered that, on average, each cyber breach costs $116 million.

The report found that in 2019, cybercriminals usually targeted customer names, addresses, and e-mail addresses (48%, 29%, and 28%, respectively). In 2018, names and credit card information were the most-sought types of information. Between 2011 and 2019, malware (34%) was the common commonly used method to obtain data, followed by phishing (25%), unauthorized access (20%), and misconfiguration (12% percent). However, almost half (43%) of companies that suffered a data breach kept the type of attack to themselves.

Multivector Web-Based Attacks Are Common
In 2018, British Airways became the victim of the most extensive data breach since the introduction of the EU's General Data Protection Regulation. In that incident, criminals stole customer names, addresses, email addresses, and detailed credit card information. Web application firewalling, which inspects and filters traffic on websites, might have prevented this because it's designed to detect and stop data theft and SQL injection as well as cross-site scripting, which are often used to compromise websites. Apparently, the airline either lacked this firewalling measure or didn't configure it properly.

Distributed denial-of-service (DDoS) attacks — which cause an abrupt spate of Internet traffic to web or application servers — can cripple a company's online infrastructure. They are also relatively easy to launch. As a result, they're often used to cover up a broader, more serious attack. In 2015, for example, Carphone Warehouse websites including OneStopPhoneShop.com, e2save.com, and Mobiles.co.uk were hit by a DDoS attack that diverted its IT experts' attention from a sophisticated hack of the company's customer database and a theft of 2.4 million customer records. The credit card information of roughly 90,000 customers was stolen, although — and fortunately for Carphone Warehouse — the data was encrypted.

Stock Market Aftershocks
Companies that expose themselves to breaches often pay penalties for allowing the attacks to happen. Besides these, according to the Audit Analytics report, remediation costs and lower stock market values are the other two most significant financial impacts of a breach.

The primary cost factor for a breach is the value of the stolen information. Not surprisingly, compromised financial information is seen as the most damaging. But Audit Analytics noted that, between 2016 and 2019, Social Security numbers (SSNs) also became popular breach targets, as SSN thefts increased by more than 500% during that period. Since 2011, of the breaches of publicly traded companies that cost more than $50 million to remediate, seven compromised financial information and three compromised SSNs. Some of the largest attacks were leveled at Target in 2013 ($292 million), Home Depot in 2014 ($298 million), Equifax in 2017 ($1.7 billion), and Marriott in 2018 ($114 million).

It's important to note that the biggest cases — like the $5 billion Facebook has spent on its breaches or the nearly $2 billion spent by Equifax — skew the average data breach cost. Note that while the Audit Analytics report pegged Equifax's remediation costs at $1.7 billion, the company reported more remediation spending in the first quarter of 2020.

Slower Time-to-Detection Escalates Costs
The second determining factor in the cost of a data breach is the length of time it takes to disclose the breach. According to Audit Analytics, an average of 108 days passed before companies discovered a breach and 49 more days, on average, before they reported it. The median gap between the discovery of a breach and notifying the authorities was 30 days.

For companies, the discovery-to-disclosure period isn't trivial. An academic article citing research from Audit Analytics found that equity value declined about 0.33% in firms that immediately disclosed a data breach, but by 0.72% in those that delayed disclosure by a month. The decline was much larger when companies failed to disclose the attack and parties outside the firm later discovered it. In these cases, company stocks dropped 1.47% in the three days after the revelation of the attack and 3.56% in the month afterward.

The worst case of delay involves Yahoo, which knew that Russian hackers had penetrated its system in 2013 but only reported the breach at the time of the firm's acquisition by Verizon in 2016. The hack affected more than 3 billion accounts. The Securities and Exchange Commission eventually fined Yahoo $35 million for the 1,649-day delay in reporting the breach. Another case involves a data breach at Choice Hotels International, which began in June 2015 but was not reported until 2019. Data from the chain's online reservation portal were shared with third parties more than 88,000 times because of a coding error.

Complex Attacks Require Better Internal Controls
To be fair, some firms hire third-party investigators to look into their data breaches, which can result in delays to reports to authorities. Nevertheless, the delays are problematic. "Cyber breaches that are not discovered quickly are concerning for both regulators and investors," its report states, referring to a SEC investigative report on the effects of cyber fraud on the internal controls of public companies. The SEC did not recommend enforcement in the nine cases highlighted in its 2018 document, but recommended that firms review their internal controls in relation to cyber threats.

"Data breaches that are not discovered quickly raise red flags about a company's internal controls, suggesting that controls may not have been sufficient enough to detect the issues in a timely manner," the Audit Analytics report concludes.

Depending on the nature of the information that is lost, repeated breaches can lead to extra future costs, including lawsuits filed by consumers and vendors whose financial data was compromised or company employees whose personal data were affected. Diligence by IT is crucial, especially since research and experience shows that the bad guys always come back: Audit Analytics reported that 26% of companies hit by data breaches — including Facebook, Sony, Amazon, Comcast, and T-Mobile USA — were victimized repeatedly.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/25/2020 | 2:17:57 AM
Average Cost of Data Breach $ 116M
This is very an adequate article about data loss. I have one observation; normally firms do not have skilled persons to view or understand breach. Firewalling is a specialty which is available in market but to analysis breach or attack, deep understanding of network and application traffic and behavior is essential.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.