The Cost of Data Breach
A data breach is a break in security, an incident in which there is an unauthorized disclosure of sensitive or confidential data. These data breaches expose credit card or bank details, intellectual property, Personally Identifiable Information (PII), or Personal Health Information (PHI). The motivation behind data breaches varies but these crimes are generally committed by hackers who are either associated with organized crime or political activism. To date there have been approximately 8,000 reported data breaches resulting in 1,055,228,349 exposed records. These companies whose security has been breached suffer not only in reputation but are also forced to endure a great financial loss. The total average cost for a breach is $7 million. Companies are doing all that they can to prevent data breaches but even the best cyber security doesn’t seem to be able to stop these black hat hackers.
Yahoo is the biggest breach to date, impacting over 3 billion user accounts. The public was awakened to this cyber disaster in September 2016 when Yahoo announced it had been the victim of a massive breach two years prior in 2014. Yahoo stated that the attack exposed the names, email addresses, DOB’s, and telephone numbers of 500 million users. A few months after the announcement, Yahoo buried the earlier record by reporting a breach in 2013 by a different group of hackers, which had compromised 1 billion accounts. In October of 2017, Yahoo revised their statement yet again announcing that in fact all 3 billion user accounts had been compromised. The once lucrative Yahoo that had been valued at $100 billion sold to Verizon for $4.48 billion.
The second largest data breach came to light in 2016, the victim being an online hookup and dating company called FriendFinder. Hackers had stolen usernames, passwords, emails, and join dates from 412 million user accounts. The majority of these accounts were specifically for AdultFriendFinder.com, which advertises itself as the world’s largest sex and swinger community.
In May 2016 the popular social networking site MySpace made a statement explaining that in June of 2013, 360 million accounts were compromised. User names, passwords and emails were for sale in an online hacker forum, supposedly listed for sale by a Russian hacker called “Peace.” This same hacker also posted the original offer to sell the 200 million Yahoo accounts for $1800. Reacting to the attack, MySpace invalidated all of the passwords of accounts that were known to be included in the leak. This tactic proved to be ineffective as most users have the same password for multiple sites.
In 2016 this same hacker “Peace” was found trying to sell 167 million LinkedIn user accounts. The stolen data originated from a hack in 2012, when emails and encrypted passwords were compromised, leaving millions vulnerable. The full database was found on sale in the dark web marketplace for only $2,200 in bitcoin.
In May 0f 2014, eBay announced that they fell victim to a cyberattack impacting 145 million of their unsuspecting users. This breach was executed by hackers that got into the company network using the credentials of three corporate employees, gaining access to the site for over 200 days. Over this course of time they were able to glean valuable information from the database. According to eBay CEO John Donahue, the breach resulted in a decline in user activity but barely impacted overall sales.
Heartland Payment Systems
One of the earlier but more memorable data breaches occurred in March 2008 when 134 million credit cards were exposed through SQL injection to install spyware on Heartland’s data systems. An SQL injection is a code injection technique used to essentially dump the database contents over to the hacker. When Heartland’s security was breached, the company was processing 100 million payment card transactions per month for approximately 175,000 different merchants. In 2009 Mastercard and Visa alerted Heartland to suspicious transactions and soon the data breach was confirmed. Consequently, Heartland was forced to pay $145 million in compensation for fraudulent payments.
Equifax was a highly publicized breach and left millions of consumers feeling violated. Equifax, one of the major credit reporting companies, reported that the hack had affected at least 145 million consumers. Other notable breaches include Target, Anthem, JP Morgan, Home Depot, Adobe, and Sony all impacting around 100 million users or less.
Uber recently announced that two hackers had gained access to personally identifiable information of 57 million riders and drivers in 2016. In an underhanded attempt to conceal the event, Uber paid the hackers $100,000 to destroy the data. Uber did not disclose the breach to regulators or users, thereby violating the security breach notification laws. Security breach notification laws, also known as data breach notification laws require an enterprise to notify their customers right away if their information has been leaked. These laws also require the company to take immediate action in remediating any injury that may have been caused by the breach. Uber is currently facing consequences from both state and federal agencies.
Data Breach Insurance
Cyber liability insurance and data breach insurance help to cover the costs of legal fees, public relations, and identity protection solutions. Data breach coverage is valuable for companies that need to restore public confidence quickly or need access to legal professionals who are competent in breach response.
As evidenced by companies such as Uber, many breaches go unreported, thus intensifying the issue of cyber security. In the case of a data leak involving a company with which you do business it is advisable to take the following steps. Checking credit reports, placing a freeze on any existing accounts, monitoring credit card and bank accounts closely, and filing taxes early are all ways to verify that your personal data is untouched.