So, was there a way to avoid the loss of a quarter billion benjies? Ilan Barzila, an attorney with Wolf, Greenfield & Sacks, warns businesses: “You need to stay on your toes and do whatever any reasonable business needs to do, to prevent a security breach… You can take certain measures that you think are reasonable and let the system run for a couple of years. You may not update it or audit it…and a breach happens” So, it is reasonable to say that ‘compliance’ alone cannot defend against the swarm of malicious moles, tunneling their way into seemingly secure systems – without consistency.
It’s all very well to tick the boxes in January, but in the fast-evolving Digital realm, it is important to maintain the health of your cyber security measures. “Audits occur at a point in time, but your IT infrastructure changes constantly,” explains Steve Dauber, Vice President of marketing at security firm, RedSeal. “So even if you do pass your audit, you may fall out of compliance next week”. We hear you, Bro.
COST: $252 million
RECORDS COMPROMISED: 4.2 million credit/debit card numbers
- TJ MAXX: TJ Maxxed out
Albert Gonzales strikes again – the infamous hacker has been linked to several major hacks, and several years prior to Heartland Payment Systems ill-reputed 2008 breach, (which narrowly missed out on our Top 10 list), TJ Maxx experienced a taster of this busy hack attacker. In December 2006 Gonzales took advantage of the company’s poor data sharing encryption system and stole credit card data during a wireless transfer between two Marshall stores in Miami. Separately, he broke into in-store kiosks, which allow members of the public to apply for jobs electronically.
The cyber security breach resulted in 94 million cards being exposed, and 451,000 customers’ personal information (including social security numbers), being stolen. After months of investigations into the breach, the company recognized that the costs incurred by the breach were more than 10 times the original estimate. Big breaches cost more – much more. TJX reported second-quarter profits cut by more than half, as they received a $118 million charge, after the $17 million charge taken in the previous 2 quarters. Plus over $100 million was allowed ‘for a reserve to cover potential losses from items, including litigation and investigative expenses’. As costs stack up, several analysts have suggested costs could run as high as $1 billion, including legal settlements and lost sales. Forrester Research analyst Khalid Kark publicly estimated the final bill to fall between $500 million and $1 billion.
The consequential losses suffered by the retail giant were thus significant and not merely measured in immediate cash terms. $256 million shouldered by insurers and TJX themselves, who were subsequently sued by several banks, to recoup losses related to the breach. Then there are the 11 men who were charged in connection with the theft. One of them, Jonathan James, professed his innocence and later committed suicide, apparently in the belief that he was going to be indicted. The jobs of the CIO and CEO of TJ Maxx were also lost in the aftermath. The full impact of data sharing breaches are not just felt in the finances of the organisation, but in the lives of so many of those involved and their families – whether guilty or innocent.
COST: $256 million
RECORDS COMPROMISED: 94 million cards exposed
- Yahoo: ‘Ya-how many?!’
‘NO-NO-NOTORIUS’, is how this breach was described by Tony Pepper, CEO of Egress Software Technologies, conveying just how B.I.G this case was. In 2016, during company sale negotiations with Verizon, Yahoo, the American web service provider, came clean about possibly the vastest mega breach in history at that time, that took place an entire 2 years earlier, without report. Get ready for these figures: all 3 billion accounts were compromised, including names, emails, passwords, security questions and answers. In the same breath, Yahoo admitted to falling victim to a separate attack in 2014, which affected 500 million accounts. Apart from likely being the most awkward sales pitch in history, it was for sure one of the costliest, as the breach admissions knocked $350 million off Yahoo’s asking price.
After selling at $4.48 billion to Verizon in 2017, Yahoo received one final donkey-kick. Fast forward to 2018 and Yahoo receives their fair share of the ICO’s righteous wrath, with a fine of $335 million. The ICO explain that Yahoo failed to comply “with the appropriate data protection standards, as well failing to monitor ‘credentials of employees with access to customer data”, finally commenting on the disappointing 2 year wait, before the company revealed the severity of the breach. Tony Pepper notes that this is likely to be closure for the company, following their arguably underwhelming approach to cyber security procedures: “Although the fine has been a long time coming, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than GDPR, which has much tougher consequences for a breach,” he concludes.
COST: $685 million
RECORDS COMPROMISED: 3 billion accounts
- Equifax: Equifix up
In 2017, consumer credit reporting agency Equifax fell victim to a cyber security breach, that would subsequently cost them dearly. Yes, and it did affect their credit rating. After a US website app vulnerability was exploited by hack attackers, confidential personal information of 147 million of its 800 million consumers was exposed, including names, date of birth, social security and credit/debit card numbers. Equifax was fined $622,000 for the 15 million UK users impacted by the breach, by the UK’s ICO. The USA’s Federal Trade Commission argued that ‘the credit score agency failed to make appropriate moves, in order to protect its network from intruders’. And are they are still paying the cost, in more ways than one.