The authors of the "Trends in Cybersecurity Breach Disclosures" report from Audit Analytics reviewed 639 cybersecurity breaches at public companies since 2011 and discovered that, on average, each cyber breach costs $116 million.
The report found that in 2019, cybercriminals usually targeted customer names, addresses, and e-mail addresses (48%, 29%, and 28%, respectively). In 2018, names and credit card information were the most-sought types of information. Between 2011 and 2019, malware (34%) was the common commonly used method to obtain data, followed by phishing (25%), unauthorized access (20%), and misconfiguration (12% percent). However, almost half (43%) of companies that suffered a data breach kept the type of attack to themselves.
Multivector Web-Based Attacks Are Common
In 2018, British Airways became the victim of the most extensive data breach since the introduction of the EU's General Data Protection Regulation. In that incident, criminals stole customer names, addresses, email addresses, and detailed credit card information. Web application firewalling, which inspects and filters traffic on websites, might have prevented this because it's designed to detect and stop data theft and SQL injection as well as cross-site scripting, which are often used to compromise websites. Apparently, the airline either lacked this firewalling measure or didn't configure it properly.
Distributed denial-of-service (DDoS) attacks — which cause an abrupt spate of Internet traffic to web or application servers — can cripple a company's online infrastructure. They are also relatively easy to launch. As a result, they're often used to cover up a broader, more serious attack. In 2015, for example, Carphone Warehouse websites including OneStopPhoneShop.com, e2save.com, and Mobiles.co.uk were hit by a DDoS attack that diverted its IT experts' attention from a sophisticated hack of the company's customer database and a theft of 2.4 million customer records. The credit card information of roughly 90,000 customers was stolen, although — and fortunately for Carphone Warehouse — the data was encrypted.
Stock Market Aftershocks
Companies that expose themselves to breaches often pay penalties for allowing the attacks to happen. Besides these, according to the Audit Analytics report, remediation costs and lower stock market values are the other two most significant financial impacts of a breach.
The primary cost factor for a breach is the value of the stolen information. Not surprisingly, compromised financial information is seen as the most damaging. But Audit Analytics noted that, between 2016 and 2019, Social Security numbers (SSNs) also became popular breach targets, as SSN thefts increased by more than 500% during that period. Since 2011, of the breaches of publicly traded companies that cost more than $50 million to remediate, seven compromised financial information and three compromised SSNs. Some of the largest attacks were leveled at Target in 2013 ($292 million), Home Depot in 2014 ($298 million), Equifax in 2017 ($1.7 billion), and Marriott in 2018 ($114 million).
It's important to note that the biggest cases — like the $5 billion Facebook has spent on its breaches or the nearly $2 billion spent by Equifax — skew the average data breach cost. Note that while the Audit Analytics report pegged Equifax's remediation costs at $1.7 billion, the company reported more remediation spending in the first quarter of 2020.
Slower Time-to-Detection Escalates Costs
The second determining factor in the cost of a data breach is the length of time it takes to disclose the breach. According to Audit Analytics, an average of 108 days passed before companies discovered a breach and 49 more days, on average, before they reported it. The median gap between the discovery of a breach and notifying the authorities was 30 days.
For companies, the discovery-to-disclosure period isn't trivial. An academic article citing research from Audit Analytics found that equity value declined about 0.33% in firms that immediately disclosed a data breach, but by 0.72% in those that delayed disclosure by a month. The decline was much larger when companies failed to disclose the attack and parties outside the firm later discovered it. In these cases, company stocks dropped 1.47% in the three days after the revelation of the attack and 3.56% in the month afterward.
The worst case of delay involves Yahoo, which knew that Russian hackers had penetrated its system in 2013 but only reported the breach at the time of the firm's acquisition by Verizon in 2016. The hack affected more than 3 billion accounts. The Securities and Exchange Commission eventually fined Yahoo $35 million for the 1,649-day delay in reporting the breach. Another case involves a data breach at Choice Hotels International, which began in June 2015 but was not reported until 2019. Data from the chain's online reservation portal were shared with third parties more than 88,000 times because of a coding error.
Complex Attacks Require Better Internal Controls
To be fair, some firms hire third-party investigators to look into their data breaches, which can result in delays to reports to authorities. Nevertheless, the delays are problematic. "Cyber breaches that are not discovered quickly are concerning for both regulators and investors," its report states, referring to a SEC investigative report on the effects of cyber fraud on the internal controls of public companies. The SEC did not recommend enforcement in the nine cases highlighted in its 2018 document, but recommended that firms review their internal controls in relation to cyber threats.
"Data breaches that are not discovered quickly raise red flags about a company's internal controls, suggesting that controls may not have been sufficient enough to detect the issues in a timely manner," the Audit Analytics report concludes.
Depending on the nature of the information that is lost, repeated breaches can lead to extra future costs, including lawsuits filed by consumers and vendors whose financial data was compromised or company employees whose personal data were affected. Diligence by IT is crucial, especially since research and experience shows that the bad guys always come back: Audit Analytics reported that 26% of companies hit by data breaches — including Facebook, Sony, Amazon, Comcast, and T-Mobile USA — were victimized repeatedly.