Equifax has spent millions on new technology and security upgrades, legal fees and identity theft services made free for those affected. By the end of 2017, the estimated breach costs totalled $439 million. Now the company has agreed to pay near $700 million, to settle Federal and State investigations, contributing between $300-$425 million towards consumer compensation. That’s right, if you were impacted by the Equifax breach you could be entitled to claim up to $20,000. In practice, it won’t work out that much per claimant.
Larry Ponemon, chairman of Ponemon Institute, estimated previously that ‘the expenses associated with ending government investigations into the data breach, as well as any civil lawsuits lodged against Equifax, would cost more than 600 million’. In fact, the actual figures are closer to $1 billion. In Larry’s own opinion: “It looks like this will be the most expensive data breach in history.”
But wait Larry….theRe’S mORe…
COST: $1 Billion
RECORDS COMPROMISED: 147 million
- Epsilon: ‘Sir EpsiLOTS OF MONEY’
Our own (albeit temporary) number one spot goes to Epsilon, for the current most mega-breach of all time, which rocked the world in 2011. The Global Marketing email provider fell victim to the hack attack of the century, affecting up to 75 prestige clients, including Disney, Capital One, Citigroup, JPMorgan Chase and Target, to name a few. Millions of customer details were hacked, as Epsilon warned users that its systems had been ‘exposed by an unauthorised entry’, although Epsilon insists that the only information obtained was customer names and emails, after further investigation. But why could this still be damaging?
Well, in the cyber world where villainous hack attackers and their nefarious toolkits seek to steal, exploit and destroy, a list of millions of email addresses and their source, comes in quite handy. Like a pot of gold to a pirate, is a list of emails to a hacker with malicious intent. Incredibly lucrative for so- called ‘phishing’ scams, where credible-looking emails are sent to people soliciting other sensitive information, such as bank account details. Some banks and other companies affected by the breach, warned their customers to practice caution when opening links and attachments from third parties, as hackers were likely to attempt to ‘solicit further login details’ and other confidential information, while posing as the familiar service “That, in turn, can make their fraudulent correspondence seem more believable,” explains Paul Ducklin from Sophos Internet Security.
So the long-awaited question… what was the cost of the most expensive breach of all time? Epsilon itself paid an estimated $225 million, and its 75 clients affected paid approximately $410 million. However, when you total ‘forensic audits, monitoring, litigation and lost business’, plus $45 million in lost business as clients ‘walked away in droves’, further exacerbated when the Secret Service got involved, the estimated total damage was $3-$4 billion.
That’s $3,000,000,000- $4,000,000,000 just to put it into context. Or enough to buy everyone in the UK a Nando’s.
COST: $3-4 billion
RECORDS COMPROMISED: Millions (Number unknown)
So what are our own take-aways from this sorry Menu?
Its clear that even the biggest companies are hacked despite investments in their security systems and practices, through a variety of avenues exploited by hackers globally. Robert Mueller, Director of the Federal Bureau of Investigation, summarised: “There are only two types of companies: those that have been hacked and those that will be”. Even that is merging into a single category: those that have been hacked and will be again. So it’s apparently officially recognised that no company is ever truly really ‘safe’ from cyber-attacks. It’s a question of degree.
Two things thus remain important to grasp for those responsible for protecting the data of customers and employees alike. The first is that cyber security is a complex and fast-evolving realm, so data security strategies should match that dynamic and mend emerging vulnerabilities.
The second is that as any business CEO, security official, or data sharing handler, should recognise they have a duty of care to the individuals, who place trust in the company and become its stakeholders. We can get so lost in conversion rates and sales that we lose sight of the quality of care we should grant every individual that chooses to invest, utilise a product or investigate our offerings. In a world where recorded cyber-attacks reached a record-breaking 758 million in 2016, according to KasperskylLab, [5] there is little doubt that 2019 will create its own tragic records. So, we at URiM will continue to do our part, to help ensure that your own organisation is not among them.
- [1] https://www.varonis.com/blog/cybersecurity-statistics/
- [2] https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
- [3] https://www.theguardian.com/business/2019/jul/08/ba-fine-customer-data-breach-british-airways
- [4] https://www.eweek.com/security/details-of-heartland-hannaford-data-breaches-emerge
- [5] https://outpost24.com/blog/top-10-of-the-world-biggest-cyberattacks