There’s no doubt that cybercrime has become “mainstream” – we hear about it more and more often on the news, and hackers don’t spare even the biggest, and what would seem to be, the most secure, companies. In the first half of 2018 alone, over 4.5 billion records were stolen, what gives a staggering number of 291 records every second.
The real costs of a data breach are hard to estimate – depending on the case, the expenses might include the cost of covering the losses, prevention, settlement, and fines imposed by the government. Even small data breaches, caused by data leaks from unsecured websites – the majority of which could be prevented by a simple SSL certificate (if your website still doesn’t have one, you can get an affordable SSL at Hostinger) – can cost small businesses thousands of dollars effectively ruining them.
But that’s still far from the most expensive data breaches in history, the cost of which often amounted to hundreds of millions of dollars – far exceeding the recent average, estimated to be at $3.86 million. What were they? Here are the top 10 most expensive ones.
10. Veterans Administration – $100 to $500 million
Number 10 in the list is quite unusual as it had little to do with the Internet or hackers forcing their way through the elaborate corporate security systems. All it took to steal the data of 26.5 million people was a hard drive with unencrypted records, which was taken home by one of the Veteran Affairs analysts and later stolen during a burglary.
The data stolen included Social Security numbers and disability ratings of active-duty military personnel, National Guard, members of the Reserves, and veterans. The cost of the theft, estimated to be around $100 to $500 million, includes the expenses necessary to cover the losses and prevent this from happening in the future. One of the things that drove up the cost is the fact that Veteran Affairs failed to inform about the breach until May 22 – over two weeks after the incident!
9. Uber – $148 million
2016 was definitely not the best year for Uber, the widely popular ride-hailing service operating in almost 800 metropolitan areas around the world. The company was affected by a data breach, which revealed the details of over 57 million riders and drivers (including 600,000 US driver license numbers).
Unfortunately, if that wasn’t the worst thing that happened, instead of informing the affected people, Uber tried to cover up the whole incident, paying the hackers $100,000 to delete the data. The company was fined $148 million for its negligence and the subsequent cover-up.
8. Sony Playstation Network – $171 million to $2 billion
Five years earlier, in 2011, Sony PlayStation network suffered a hacking incident of similar scale, allowing hackers to access personal data of 77 million people with the accounts on its PlayStation Network. The data included names, addresses, birthdates, usernames, passwords, security questions, and other personal information of both adults and children who had their parents create accounts for them.
While the cost of the breach itself was estimated at $171 million, it does not include the potential impact on revenue and lawsuits, including those already filed by numerous American and Canadian law films, which, could amount to around $2 billion.
7. Marriott – $200 million to $1 billion
Just as in the case of Sony PlayStation network, almost all data breaches in this list have additional hidden costs such as brand reputation, trust, and unrealized revenue that will affect the company for years after the breach. A great example of this is the Marriott data breach, which affected around 500 million guests, and which is one of the largest data breaches in history in terms of the amount of data stolen.
While the costs between direct fines and court related expenses are estimated at around $200 million, the extra costs, such as percentage fines imposed on company revenue, the expenses on notifying customers, and data monitoring services could quickly amount to around $1 billion.
6. TJX – $256 million
An interesting example of how far the estimations can be from the reality is the 2007 TJX data breach, which cost this multinational off-price department store corporation $256 million – what was over 10 times more than the original estimate.
One of the reasons of the rising cost was the fact that the company initially underestimated the number of stolen credit card numbers, which quickly rose from the initial 40 million to 100 million, what forced the company to spend more money to cover additional settlement costs.
5. Epsilon – $270 million to 4 billion
The 2011 data breach at an email marketing services company Epsilon was at the time so enormous, that some industry experts called it the hack of the century. One of the reasons for this catchy name was the fact that the company processed email details of customers of all the major banks, as well as retail and hotel chains – including thousands of A-list clients.
The cost of the breach amounted to $225 million in liabilities, followed by an estimated $45 million in lost business ($270 million total), however it is estimated that the total cost can run as high as $4 billion – it all depends on how the hackers use the acquired email addresses.
4. Equifax – $439 million to 4 billion
2017 was without a doubt not a good year for Equifax, the US consumer credit reporting agency. In March, the company suffered a major security breach, followed by an attack between mid-May and end of July, which resulted in unauthorized access to data of around 145.5 million American and 15.2 million UK customers.
The immediate cost of the breach, including security upgrades, legal fees, and free identity theft services for consumers totaled around $449 million. But experts estimate that the final immediate cost will quickly rise to $600 million if not more, and the Wall Street reaction to the breach reduced the company valuation by $4 billion.
3. Yahoo! – $470 million to ??
Over the past few years the Sunnyvale company suffered three major data breaches – the biggest of which happened in 2013, when all 3 billion accounts were compromised. If that wasn’t enough, the breach was followed in 2014 by another one which gave hackers access to 500 million accounts.
While the accurate costs are hard to estimate for such big amounts of data stolen, the breaches knocked about $350 million off of the Yahoo’s sale price. On top of that, it is known that Yahoo was asked to pay $85 million settlement and agreed to pay $35 million penalty to SEC – all of which gives us a round number of $470 million . But the real costs were most likely into billions.
2. Exactis – More than Equifax
The exact numbers for the Exactis data breach are not yet known as the bridge happened in 2018, and the real legal battle is probably yet to happen. But, considering that it is already called a much more complex and costly data breach than that of Equifax, we can easily say that the initial costs may surpass $500 million. What makes our estimate so high?
The records leaked from Exactis included 200 million US consumers and 110 million business contacts. And, considering that some of the data was reportedly accumulated without any consent or knowledge of the data subjects, the settlement costs alone could be massive.
1. U.S Office of Personnel Management – $500 million to a few billion
Source: Pixabay legal
Even though the 2014 data breach affected “only” 21 million people (if you compare it with Equifax, Exactis or Yahoo, that number looks really low), the 1 billion estimate is probably still less than what the real cost will be.
A year after the breach, the government issued a contract for $500 million to provide credit monitoring to the people affected. This does not include the costs of infrastructure modernization (estimated to amount to around $100 million), security updates, staff training, data migration and encryption. In fact, the government agency, may spend as much as a few billions of dollars over the next few years as a result of the breach.
What makes data breaches so widespread and cost so much? One of the reasons is negligence – employees often underestimate the real value of data they’re working with. Another reason is the rising cost of data, which has become more valuable than ever before. And it’s relatively easy for hackers to gain unauthorized access to it. Especially considering that many businesses are still lacking sound security policies and fail to secure their data enough.
While as a small online business, you don’t have to worry about such a huge amount of damage, you should still do everything you can to protect your customers. And the easiest way of doing that is getting an SSL certificate, which encrypts the connection between your site and the browser, creating the most important layer of security.