Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/24/2020
02:00 PM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Average Cost of a Data Breach: $116M

Sensitivity of customer information and time-to-detection determine financial blowback of cybersecurity breaches.

The authors of the "Trends in Cybersecurity Breach Disclosures" report from Audit Analytics reviewed 639 cybersecurity breaches at public companies since 2011 and discovered that, on average, each cyber breach costs $116 million.

The report found that in 2019, cybercriminals usually targeted customer names, addresses, and e-mail addresses (48%, 29%, and 28%, respectively). In 2018, names and credit card information were the most-sought types of information. Between 2011 and 2019, malware (34%) was the common commonly used method to obtain data, followed by phishing (25%), unauthorized access (20%), and misconfiguration (12% percent). However, almost half (43%) of companies that suffered a data breach kept the type of attack to themselves.

Multivector Web-Based Attacks Are Common
In 2018, British Airways became the victim of the most extensive data breach since the introduction of the EU's General Data Protection Regulation. In that incident, criminals stole customer names, addresses, email addresses, and detailed credit card information. Web application firewalling, which inspects and filters traffic on websites, might have prevented this because it's designed to detect and stop data theft and SQL injection as well as cross-site scripting, which are often used to compromise websites. Apparently, the airline either lacked this firewalling measure or didn't configure it properly.

Distributed denial-of-service (DDoS) attacks — which cause an abrupt spate of Internet traffic to web or application servers — can cripple a company's online infrastructure. They are also relatively easy to launch. As a result, they're often used to cover up a broader, more serious attack. In 2015, for example, Carphone Warehouse websites including OneStopPhoneShop.com, e2save.com, and Mobiles.co.uk were hit by a DDoS attack that diverted its IT experts' attention from a sophisticated hack of the company's customer database and a theft of 2.4 million customer records. The credit card information of roughly 90,000 customers was stolen, although — and fortunately for Carphone Warehouse — the data was encrypted.

Stock Market Aftershocks
Companies that expose themselves to breaches often pay penalties for allowing the attacks to happen. Besides these, according to the Audit Analytics report, remediation costs and lower stock market values are the other two most significant financial impacts of a breach.

The primary cost factor for a breach is the value of the stolen information. Not surprisingly, compromised financial information is seen as the most damaging. But Audit Analytics noted that, between 2016 and 2019, Social Security numbers (SSNs) also became popular breach targets, as SSN thefts increased by more than 500% during that period. Since 2011, of the breaches of publicly traded companies that cost more than $50 million to remediate, seven compromised financial information and three compromised SSNs. Some of the largest attacks were leveled at Target in 2013 ($292 million), Home Depot in 2014 ($298 million), Equifax in 2017 ($1.7 billion), and Marriott in 2018 ($114 million).

It's important to note that the biggest cases — like the $5 billion Facebook has spent on its breaches or the nearly $2 billion spent by Equifax — skew the average data breach cost. Note that while the Audit Analytics report pegged Equifax's remediation costs at $1.7 billion, the company reported more remediation spending in the first quarter of 2020.

Slower Time-to-Detection Escalates Costs
The second determining factor in the cost of a data breach is the length of time it takes to disclose the breach. According to Audit Analytics, an average of 108 days passed before companies discovered a breach and 49 more days, on average, before they reported it. The median gap between the discovery of a breach and notifying the authorities was 30 days.

For companies, the discovery-to-disclosure period isn't trivial. An academic article citing research from Audit Analytics found that equity value declined about 0.33% in firms that immediately disclosed a data breach, but by 0.72% in those that delayed disclosure by a month. The decline was much larger when companies failed to disclose the attack and parties outside the firm later discovered it. In these cases, company stocks dropped 1.47% in the three days after the revelation of the attack and 3.56% in the month afterward.

The worst case of delay involves Yahoo, which knew that Russian hackers had penetrated its system in 2013 but only reported the breach at the time of the firm's acquisition by Verizon in 2016. The hack affected more than 3 billion accounts. The Securities and Exchange Commission eventually fined Yahoo $35 million for the 1,649-day delay in reporting the breach. Another case involves a data breach at Choice Hotels International, which began in June 2015 but was not reported until 2019. Data from the chain's online reservation portal were shared with third parties more than 88,000 times because of a coding error.

Complex Attacks Require Better Internal Controls
To be fair, some firms hire third-party investigators to look into their data breaches, which can result in delays to reports to authorities. Nevertheless, the delays are problematic. "Cyber breaches that are not discovered quickly are concerning for both regulators and investors," its report states, referring to a SEC investigative report on the effects of cyber fraud on the internal controls of public companies. The SEC did not recommend enforcement in the nine cases highlighted in its 2018 document, but recommended that firms review their internal controls in relation to cyber threats.

"Data breaches that are not discovered quickly raise red flags about a company's internal controls, suggesting that controls may not have been sufficient enough to detect the issues in a timely manner," the Audit Analytics report concludes.

Depending on the nature of the information that is lost, repeated breaches can lead to extra future costs, including lawsuits filed by consumers and vendors whose financial data was compromised or company employees whose personal data were affected. Diligence by IT is crucial, especially since research and experience shows that the bad guys always come back: Audit Analytics reported that 26% of companies hit by data breaches — including Facebook, Sony, Amazon, Comcast, and T-Mobile USA — were victimized repeatedly.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
newtech.iqbal
50%
50%
newtech.iqbal,
User Rank: Apprentice
6/25/2020 | 2:17:57 AM
Average Cost of Data Breach $ 116M
This is very an adequate article about data loss. I have one observation; normally firms do not have skilled persons to view or understand breach. Firewalling is a specialty which is available in market but to analysis breach or attack, deep understanding of network and application traffic and behavior is essential.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.