Understanding the Cost Of A Data Breach
Expert studies have put a lot of work into identifying what a data breach is likely to cost a company or organization. Data breaches are some of the most feared types of cyberattacks in the business world, and beyond. Having sensitive data outside of the authorized user’s control creates certain kinds of dangers for individuals and businesses alike. That has led to a growing awareness in business that cybersecurity has to be a high priority.
What is a Data Breach?
In the simplest sense, a data breach is a cyberattack that results in the hacker or an insider having some form of valuable or sensitive data. This aluable and sensitive data often comes in the form of customer or user identifiers, along with financial or medical information that can be used to harm people, or for criminal gain. But this isn’t the only type of data targeted by hackers. Other kinds of important, sensitive data like trade secrets, or product and performance data is also vulnerable to a breach.
With that in mind, let’s look at some of the common costs that a company has to deal with after a data breach.
Average Data Breach Costs
The authoritative IBM/Ponemon study set so often cited by the pros tracks data breaches from 2016 to 2022, finding that the most current number is $4.35 million for 2022, up from $4.24 million in 2021. That’s the average total cost that a business has to pay in mitigation, loss of business and every other liability incurred by a data breach scenario.
For the same two years, average per-record costs went from $161 to $164. So for every piece of sensitive data stolen, a firm pays, on average, over $100.
What Industries Have the Highest Data Breach Costs?
Data breaches are more expensive in some fields than they are in others. Year after year, highly regulated industries report higher data breach costs than other sectors.
Ponemon found that out of all of the sectors reporting data breaches, healthcare data breaches were the most expensive at just over $10 million on average. Financial services followed with $5.97 million on average and pharmaceuticals with $5.01 on average. All other fields were under the $5 million mark.
Healthcare, researchers found, was the highest-cost industry for the last 12 years.
Data Breaches by Region
There’s also a difference in data breach costs according to where the target is located. The study found that data breaches are most expensive in the United States, where the average total cost is $9.44 million. The Middle East is a runner-up with an average breach cost of $7.46 million. After the US and Middle East, Canada, France and Japan face the next highest data breach costs by region.
Data Breach Consequences: Average Dwell Time
The study also found that data breaches tend to be unresolved or unmediated within systems for quite a long time, with an average dwell time of 277 days per incident. Dwell time is important, because the longer a threat is active in a system, the more damage it does. That adds to the expense of the data breach, and may add to the complexity of mitigation efforts.
Biggest Data Breaches
T-Mobile
This breach technically occurred last year, but recent headlines show that T-Mobile is on the hook for some $500 million, with $350 million to be paid into a settlement fund for a class action lawsuit by customers.
Although hackers initially claimed the data breach affected 100 million individuals, the true number reported has been closer to 50 million.
However, that includes names, dates of birth, Social Security numbers and other identifiers that can be harmful in the wrong hands.
Although details are scant, prior reporting showed that hackers got access through backdoored servers. T-Mobile fixed the issue, but reportedly continued to cover up the data breach for months.
How to Protect Against This Data Breach:
The solution to this type of data breach is proactive monitoring of server security. But T-Mobile could have avoided a lot of the damage with early reporting, mitigation and investigation of the threat instead of sweeping it under the rug.
DoorDash
Late last month, tech media was reporting on a new data breach involving the DoorDash company, the online food ordering and delivery platform fueled by gig economy workers.
Specifically, hackers conducted a successful phishing attack to get access to employee credentials from a service vendor. That allowed hackers to pilfer some types of card information. DoorDash says the vendor system was “swiftly disabled,” but not before the damage was done. Hackers got away with stolen data including email addresses, names, phone numbers, and delivery addresses of customers, and according to coverage at HackRead, card information from “a smaller subset” of customers as well.
How to Protect Against This Data Breach:
The solution to this type of data breach is better proactive training and onboarding to ensure phishing attacks like these are not successful. Beyond traditional cybersecurity training seminars, many businesses now “test” their employees’ cybersecurity through pentesting that focuses on social engineering. This way, companies can gauge their employees’ likelihood of falling victim to a phishing attack and target training on high-risk users. When it comes to phishing and other social engineering attacks, we find that the human element is, after all, the weakest link.
Flagstar Bank
Earlier this year, Flagstar Bank reported a breach impacting 1.5 million people across the country.
The breach was reported to the California Attorney General’s office, but reporters suggest that the disclosure was delayed by up to six months.
The breach happened during the acquisition of Flagstar Bancorp by New York Community Bank.
As TechCrunch reports the company hasn’t provided many details regarding the breach, like how threat actors gained access and exactly which parts of the enterprise system were breached. But one thing we do know is that customer PII or personal identifying information was leaked, including customers’ social security numbers. Past data breaches at Flagstar have reportedly involved vulnerabilities in vendor systems.
How to Protect Against This Data Breach:
Practical solutions like encryption and monitoring would ameliorate these types of dangers, to an extent. While not a lot of information is known about the attack vector used in this breach, general cybersecurity solutions can be used to lessen the chance of this type of attack. One aspect that shouldn’t be overlooked is the importance of vendor security. Employing vendors whose cybersecurity strategy aligns with your own is important for securing business data that other organizations may hold. If your internal system is strong, but your vendor’ side is weak, data operations may be still be exposed to potential threats.
Horizon Actuarial
Horizon’s case was reported in March of this year, and is estimated to have impacted 2.29 million individuals.
The company provides consulting for union benefit plans, and fell victim to a ransomware attack in November 2021 after hackers got access to two computer servers and the following data types:
· Names
· Dates of birth
· Social Security numbers
· Health plan data
Victims of the breach included professional athletes from Major League Baseball and National Hockey League as well as Major employees of the New York Times.
Now, Horizon faces a class-action lawsuit alleging that the company failed to adequately safeguard customers’ information, with attorneys calling the negligence “egregious” because of previous high-profile data attacks within the industry as a whole. Concerns include the risk of identity theft and fraud.
The solution would have been to “reasonably secure, monitor and maintain the private information of customers and business associates” which the filing claims Horizon failed to do. Plaintiff’s counsel cites the “failure to design and implement and maintain reasonable and adequate data security systems and safeguards.”
How to Protect Against This Data Breach:
Encryption is specifically mentioned as an absent best practice. Critics also called for better training and attention to industry standard data security practices. The fact that outsiders were able to call out the company shows how internal systems were not up to par for managing the reasonable risks that are to be expected, especially when the company is managing group data for parties like the unions mentioned above. The individual people and groups who trust their data to companies like Horizon expect that their data, and the servers it resides on, will be protected in proactive ways, and that if something happens, they’ll be notified immediately.
OpenSea
In February of this year, users at NFT marketplace OpenSea fell victim to a phishing attack where a hacker stole $1.7 million worth in Ethereum tokens from users.
According to analysis by Rob Behnke at Halborn, hackers would allegedly trick users into a transfer, and then call a malicious contract, where OpenSea proxy contracts allowed the attacker to steal tokens from the user’s account, because of signed and un-validated orders.
How to Protect Against This Data Breach:
Validating transactions, analysts note, would have fixed the problem. That process is different in cryptocurrency and blockchain operations, but it can be done, especially with good blockchain-adjacent identification and validation systems, the kinds that regulators are demanding for crypto businesses. Companies also need to pay attention to user authentication, to spot sneaky attempts like these from a mile away.
Texas Department of Insurance
In this case, the target was a government agency, and 1.8 million individuals were affected.
The problem was a security issue with a TDI web application, which led to the unauthorized release of worker’s compensation data when a “protected area” of the company’s network was breached.
Dates of birth and social security numbers were compromised.
How to Protect Against This Data Breach:
Better activity monitoring could have prevented the programming code that reportedly allowed for the breach. Agencies and protocols like FedRAMP and NIST provide advice for government offices on how to shield themselves from these risks. Encryption is a must: so is robust monitoring of the network on which this public information is stored.
Shields Healthcare Group
In this mega-breach, the data of 2 million people was affected.
In a notice of data security incident, Shields reported “suspicious activity” on its network in March, and revealed that a hacker had unauthorized access to sensitive data sets for a period of two weeks.
Social Security numbers, dates of birth, and home addresses were stolen: so were provider information, diagnosis data, billing information, insurance numbers, medical records, and patient IDs. Among the types of negligence cited by Shields critics were: delayed reporting, vague and evasive response, incomplete information on threats, and insufficient cybersecurity ahead of the breach.
How to Protect Against This Data Breach:
Aside from the criticism leveled at the company in legal documents surrounding the case, there are also common sense ways that Shields could have prevented at least some of this data exposure. For example, there’s the principle of microsegmentation – keeping parts of the system separate from one another, and locking away data in separate containers. In this case, if some of the data sets involved were kept separate from others, hackers might have not had as wide of a treasure trove in achieving the data breach.
Then there’s the proactive user monitoring that’s useful for preventing nearly any kind of insider threat or attack.
The court process will reveal whether the company thought about enacting some of these reasonable protections before the hack was pulled off.
Conclusion: Proactive Protection
These devastating data breaches, and many others with smaller footprints, serve as a daily reminder to companies of the value of proactive data protection. The cost, along with the damage to business operations, combine to strike fear into the heart of an enterprise professional who considers what hackers are doing to company systems. That’s driving a whole new industry attuned to the core concept of data breach protection.
Protect data and lower breach costs with Teramind
