TOP 10 MOST EXPENSIVE CYBER-SECURITY BREACHES OF ALL TIME
Liz Is back!
No not world-renowned starlet Elizabeth Taylor or her Majesty, the Queen of England. We’re talking Elizabeth Denham, the appointed Information Commissioner of the UK’s ICO. She has just released another eye-watering fine of £99 million ($123 million) for the data breach at Marriot International, publicised this month. This comes just one day after the record-breaking penalty of £183 million given to British Airways, for the leaked personal information of 500,000 of their customers.
The Marriot fine is in response to a 2014 data breach of Starwood, a hotel company subsequently acquired by Marriot in 2016, although the breach itself wasn’t detected until 2018. Somewhat inconveniently for Marriot, this was the same year the GDPR came into effect.
What is the GDPR?
The GDPR mandates a “baseline set of standards for companies that handle EU citizens’ data, to better safeguard the processing and movement of citizens’ personal data” and secure documents online. AKA keeping you and your information safe in a world of increasing hack attacks, identity theft and data breaching. Respect+ to the EU.
Great for us as individuals. Perhaps not so great for companies that must now strictly adhere to the General Data Protection Regulations, protecting data and secure documents online to avoid some potentially mammoth penalties. Before this legislation was put in place, the largest potential fine permitted for a cyber security breach was $500,000; though this price tag did not account for other costly repercussions of such data breaches going public, such as:
- Identity Protective precautions
- Additional Staffing
- Additional Training
- Extra Security Systems
- Loss of Business
- Loss of company Reputation & Brand damage
So, what exactly is the “true” cost? Though this understandably differs based on the size of the company, impact of the breach and number of individuals/records affected, here are some helpful guidelines, in the form of industry averages:
- The average cost of a data breach is $3.86 million
- The typical cost of lost business after a breach for US organizations, adds up to $4.2 million
- A mega breach of 1 million records has an average total cost of $40 million (IBM)
- A mega breach of 50 million records has an average total cost of $350 million (IBM)
Though these costs will likely go up in coming years, with the ICO starting to flex its legal muscles, it is estimated that “damage related to cybercrime is projected to hit $6 trillion annually by 2021”. 
Marriot plans to appeal against this £99 million fine, where credit card details, passport numbers and dates of birth have been stolen. Arne Sorenson, president and chief executive of Marriot International, expressed: “We are disappointed with this notice of intent from the ICO, which we will contest…We deeply regret this incident happened. We take the privacy and security of guest information very seriously.”
Why so serious?
Well, with this fine added to the bill amassing for fixing Marriot’s shortcomings in their security systems, this has already become one of the costliest breaches in history - and it doesn’t end there. Costs from hacks can go on for years for companies. With so many diverse factors to be accounted for, the total cost can only be estimated, especially regarding the more recent cases. However, here at URiM, we have sought to compile a more digestible list of the Top 10 most expensive cyber security breaches of all time, for the purposes of being illustrative, more than definitive. Let the salutary lessons begin!
- 0. Uber: ‘Shut up and drive’ … and it didn’t pay off (Thanks, Rihanna)
Heralded as ‘one of the biggest embarrassments and legal tangles the ride-hailing company has suffered’, Uber were criticised not only for lacking the security governance over their user/employee data, but for taking a ‘Ford Siesta’ on relaying details of the breach, to the 57 million customers and drivers it affected. In fact, the transport firm paid hackers $100k to delete the data (including 600k driver licence details), using its ‘bug bounty’ program, which was designed to reward security researchers who report flaws in the company’s software.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” explains California Attorney General, Xavier Becerra. “Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law”. Now, the company appears fully prepared to buckle up and regain the trust of its customers, which Uber Chief Legal Officer Tony West admits, is no easy feat. He states: “We’ll continue to invest to keep our customers and their data safe and secure” - sentiments backed by Uber’s new CEO, Dara Khosrowshahi, who fired security officials responsible for the breach, pledging to change how the firm operates, in order to prevent future cyber vulnerabilities.
If only Uber could make their getaway with no more than a dented reputation. Alas, this car-crash of a situation has resulted in further pricy legal action, brought by drivers, customers and the cities of LA & Chicago, to the tune of another $148 million. That’s a hefty penalty fare. Claimants suggest this action will deliver ‘a national rebuke against Uber’s history of flouting laws and basic business ethics’.
Though this fine hardly leaves Uber ‘running on empty’, we can agree that it’s a steep price to pay in not only its finances but its customer’s brand perception. Trust is like a wing-mirror, you can only hold it together with sticky tape for so long.
COST: $148 million
RECORDS COMPROMISED: 600,000
9. Marriot Hotel: ‘Afternoon Uncertain-Tea’
As stated above, in 2018 Marriott Hotel was involved in the mega breach of the year, after malware was found on one of its hotel chain’s (Starwood) IT systems. RAT is a fitting acronym for the sequence of events that conspired. RAT, or ‘Remote Access Trojan’, is where a piece of malware is disguised as software (often anti-virus/security software) allowing an intruder to covertly access, surveil and gain control over a computer for months on end; in some cases, years.
Marriot first learned of the breach in September 2018, once contacted by the IT company managing its Starwood guest reservation database. By November, Marriot discovered that the hackers had in fact been in their system since July 2014.
So, what’s the damage? 500 million guests’ personal information exposed, including passport numbers, credit card numbers, names, addresses and reservations. It was calculated that a total of 383 million guest records were breached. Oh, and the cost for Marriott? Well, as discussed earlier the total amount is still being accumulated and can only be estimated at this point, as the company awaits the outcomes of lawsuits, loss of business and monitoring services, for those impacted. According to Marriot themselves, $28 million expenses were incurred as a result of the security incident, but that price tag was ramped up, with the ICO’s tasty fine of $123 million in recent days.
Bloomberg Intelligence Analysts Tamlin Bason and Holly Froum, estimate the total costs at around $1 billion for failing to safeguard data and secure documents online. Marriot’s slow response to alerting its customers to the breach may also have a negative impact on business for years to come. Cyber security expert Jake Moore, concludes that the key to rebuilding customer trust and loyalty, is a company’s openness and honesty in situations like this.
COST: $151 million
RECORDS COMPROMISED: 383 million
To continue reading about the Top 10 Cyber Breaches, click here