Many companies have suffered cyber attacks in the past decade, and the cost of each attack can be hard to estimate. Beyond the obvious costs associated with regulatory penalties and compensation for affected parties, an organization can also incur more subtle costs like loss of business or increased cybersecurity spending after an incident. As a result, the price tags of these cyberattacks is likely a lower bound on the true cost of each incident.
Epsilon is an email marketing company and the target of the biggest data breach in the last decade. In 2011, the company was breached, and the attackers stole data for 75 of Epsilon’s customers, including big names like Best Buy, JP Morgan Chase, and Target. The size of the hack, and the companies caught up in it, resulted in estimated breach costs of up to $4 billion.
The Office of Personnel Management (OPM) is the US government department responsible for managing security clearance investigations, giving them access to a great deal of sensitive information regarding federal employees. In 2014, the agency was breached, revealing the data of 21 million people. The up-front cost of the breach was $500 million in credit monitoring for affected parties, but the organization is also spending $100 million on infrastructure modernization and more on security, giving an estimated final price tag in excess of $1 billion.
Yahoo has been the target of three major cyberattacks in recent years. In 2013, all 3 billion Yahoo accounts were compromised, and, the following year, a second attack breached the data of 500 million Yahoo users. The costs of these breaches were significant, including a drop of $350 million in Yahoo’s sale price to Verizon, an $85 million settlement, and a $35 million penalty levied by the SEC.
The most famous data breach in recent history only makes fourth place on this list. In 2017, Equifax suffered a major hack due to a failure to appropriately patch and secure its network. The attacker gained access to the financial data of over 145 million Americans and over 15 million Canadians. The direct cost of the breach (in credit monitoring and fines) was $449 million, but the company’s valuation also dropped $4 billion in response.
The 2019 breach of Capital One took advantage of misconfigurations in the bank’s cloud security solutions. A misconfigured web application firewall (WAF) had administrator access to cloud resources and was manipulated by a former AWS employee to steal sensitive data from Capital One’s AWS deployment. The attack breached the data of over 100 million Capital One customers and cost the organization at least an estimated $300 million to date.
Maersk is the only organization that isn’t on this list due to a data breach. The shipping giant was one of the worst-hit organizations of the 2017 NotPetya ransomware attack. The damage to the company’s systems cost them an estimated $378 million. Adding the impacts to other companies of this attack, make it one of the most expensive cyberattacks in history.
This UK-based airline was a target of the Magecart hacking group, which places malicious script code (called web skimmers) on organizations’ payment portals to collect and exfiltrate customers’ payment card information. The British Airways breach exposed the payment card data of about 500,000 BA customers. Since the organization and the incident fall under the jurisdiction of GDPR, the UK Information Commissioner’s Office (ICO) has levied a suggested fine of $234 million for failing to protect customer data.
While Sony is more famous for its 2014 hack of Sony Entertainment, an earlier hack cost the entertainment even more. In 2011, cybercriminals gained access to Sony’s customer records for their PlayStation Online service. The hack breached the data of 100 million customers and cost the company over $171 million.
In late 2013, Target was the victim of a cyberattack that exploited the organization’s supply chain. The attacker gained access to the network of Target’s HVAC provider and used this vendor’s credentials to access the Target network and place payment card skimming malware on Target’s point of sale (PoS) systems. As a result, 110 million Target shoppers had their card data stolen, and Target incurred costs of about $162 million.
In 2016, Uber made headlines for a data breach that leaked the personal data of 57 million riders and drivers. What made the story so big was how Uber mismanaged the breach. Instead of reporting it to regulators, the company tried to buy the attacker off with a $100,000 payment listed as a “bug bounty”. Once the breach went public, Uber was fined $148 million for how they handled the incident.
For many organizations, the price tag of strong cyber defenses may look like “too much”. However, as the organizations on this list have learned the hard way, the cost of remediating a cyber incident is far more than that of preventing it. As cyberattacks become more common, strong cybersecurity is essential to an organization’s ability to stay in business.
To stay updated on the latest cybersecurity threats, sign up for our newsletter here: https://www.nuspire.com/newsletter-subscribe/