Consequences of a Data Breach

Despite advances in data security technology, breaches remain a serious threat to organizations storing sensitive data. More than 4.5 billion records were exposed during the first half of 2018 alone—in what was considered a down year—and more than 6,500 incidents resulted in compromised data. In fact, so much data has been exposed over the years that cybercriminals now use machine-learning and artificial-intelligence tools just to keep up with it all. That’s without even considering the financial impact, which can be the greatest consequence of a data breach.

According to a 2018 Ponemon Institute study, exposed data costs about $148 per record lost—adding up to about $3.86 million per breach in total cost.

Since breaches and cyberattacks aren’t stopping or showing any signs of slowing down, determining how to safeguard against and prevent them should be a regular conversation between business executives and their information security teams. Still, regardless of how dire the consequences of a data breach can be, not everyone recognizes and respects the serious threat breaches present.

“Executives have difficulty gauging potential impact partly because they are not typically privy to what their peers struggle with as they work to get their businesses back on their feet,” Deliotte’s Emily Mossburg told CSO Online. “An accurate picture of cyberattack impact has been lacking, and therefore, companies are not developing the risk postures that they need.

“Much of the conversation has been focused on what vulnerabilities exist and the technology impact. It seems to be focused very narrowly on the breach notification element and the post-breach protection mechanisms that need to be in place, but the broad impact seemed to be ignored.”

The broad consequences of a data breach are the continued, and ultimate, cost of recovery. But before we get into the minutiae and long-term effects of breaches, let’s look at the immediate costs. Although they can pale in comparison to the lasting impact, the initial fines and damage from losing customers is significant. Below is a list of the costliest data breaches we’ve seen in recent years.

 

Company Exposed Records Estimated Cost
Epsilon Unknown $4 billion
Equifax 148 million $1.4 billion*
Veterans Administration 26.5 million $500 million
Hannaford 4.2 million $252 million
Sony Playstation 100 million $171 million
Target 110 million $162 million
TJ Maxx Unknown $162 million
Heartland Payment Systems 130 million $140 million
Anthem 80 million $100 million
Sony Pictures Entertainment Unknown $100 million
Marriott 383 million $72 millions*

* Denotes costs that are ongoing and will likely increase as a consequence of the data breach

Again, these are just a few examples of the consequences of prominent data breaches. It is by no means a comprehensive list. It’s also helpful to keep in mind that this is just the beginning. In addition to the glaring cost of fines and other penalties, there’s the difficult-to-quantify loss of customers, consumer trust, and more. Clearly, the consequences of a data breach are severe.

According to a Deloitte Advisory study that looked at the broader impact of breaches, unforeseen (or “hidden”) costs of a breach can add up to 90 percent of the total business impact on an organization, and even then, this additional cost probably won’t be apparent until years after the event.

Delayed Costs

When determining the financial consequences of a data breach, most companies recognize the initial costs associated with it, such as the cost of notifying customers, fines, public relations, legal fees, technical investigations, and cybersecurity improvements. However, additional, unexpected costs include increased insurance premiums, debt raises, operational disruption, customer loss, contract-revenue loss, loss of consumer trust, and stolen intellectual property.

According to Deloitte’s study, which simulated a pair of hypothetical breaches over a five-year period, the estimated long-term consequences of a breach dwarfed the initial price tag, which accounted for less than 5 percent of the total cost. By applying that calculation to the Epsilon breach, you get a five-year total of more than $113 billion. Although that’s only a projection, if it’s anywhere close to what the actual number will be, that breach could go from being costly to potentially crippling.

Noncompliance is Commonplace

Perhaps the greatest risk for a data breach comes from operating a data environment that does not meet the necessary regulatory compliance obligations to which it is subjected. This also opens organizations up to fines for failing to meet a regulation’s given requirements, which can compound the consequences of a breach.

Unfortunately, this lack of compliance is not uncommon. For example, the European Union’s General Data Protection Regulation, a comprehensive set of privacy obligations, has been in effect for more than a year. Yet, an International Association of Privacy Professionals (IAPP) member survey conducted in 2018 revealed less than 50 percent of those surveyed were fully compliant with the GDPR, with almost 20 percent claiming they believed it was not possible for their organization to achieve GDPR compliance. Consider the fact that those polled for the study were all IAPP members—and therefore more likely than most to be familiar with compliance obligations and capable of meeting them—and it’s safe to reason that the number of noncompliant companies could be even higher in reality.

Although it might be understandable to think that many organizations would need time to adjust to the new regulations, the consequences for failing to do so in a timely fashion are substantial. Under the GDPR, an organization found to be willfully or intentionally in violation of its requirements is subject to administrative penalties of 4 percent of annual turnover or €20 million—whichever is greater. A lesser penalty for “simple negligence” equates to the greater of 2 percent of annual turnover or €10 million in penalties. These fines can apply to all noncompliant organizations, regardless of whether they are breached. Simply put, organizations cannot afford to be noncompliant.

Just as concerning is a TrustArc survey that showed nearly 90 percent of California companies had not completed the California Consumer Privacy Act (CCPA) compliance process at the time of the survey, and 44 percent had yet to even begin. These same companies have until 2020— when the statute goes into effect—to become compliant, but it would behoove them to act now and stay ahead of the first of many upcoming privacy regulations.

However, none of this is to suggest that meeting regulatory compliance is easy. Often, it is both difficult and expensive, but it is a necessary undertaking in order to protect the data of companies and their customers. And even then, compliance does not guarantee a secure environment or protection from a breach.

How TokenEx Can Help

Earlier this month, we learned an unauthorized user accessed one of our customers’ internal systems via a phishing email. Typically, this type of intrusion could have potentially devastating effects, including the compromise of sensitive customer data. However, because this organization was using TokenEx to tokenize its cardholder data, no primary account numbers were exposed during the breach. As the customer explained in its breach notification:

The information potentially accessed in this incident would not include your full credit or debit card number, as we do not store those numbers when customers make purchases in our store. If you've opted to store your card in your account, we store the last four digits of your payment card number for reference and use by you for subsequent purchases, but never the entire card number.

This is what we mean by “no data, no theft.” Although tokenization cannot completely protect your environment from a breach, it can desensitize the information stored inside. So, even if tokens are exposed, they’re nonsensitive placeholders unrelated to the original, sensitive data. Therefore, cybercriminals cannot reverse the tokens or use them to access the original data stored safely in TokenEx’s vaults, effectively eliminating the risk of data theft in the event of a breach.

Topic(s): payments , compliance , data security , tokenization , privacy

Keep Up With Our PCI & Privacy Blog