What is the Average Total Cost of a Data Breach?

What is Data Breach?

When confidential or protected information is exposed, it is called a data breach. Your Social Security number, bank account or credit card details, protected health information (PHI), trade secrets, personally identifying information (PII), passwords, or email can all be lost or stolen in a data breach.

A data breach might be intentional or unintentional. A hacker can break into a company’s database and steal all personal information. Alternatively, an employee at that company may inadvertently disclose personal information on the Internet. In any case, attackers may gain access to your sensitive personal information and profit from it at your expense.

Suppose a data breach results in identity theft or government or industry compliance standards violation. Then, the organization can face fines, reputation damage, and even the loss of its business license.

Example of Data Breach – Equifax Data Breach

In the United States, Equifax is one of the major credit reporting agencies (CRAs) known as credit bureaus. Credit reporting agencies create individual credit reports and provide a detailed picture of their credit history, including whether they have made timely payments on loans and credit cards. CRAs get data from businesses, including banks, landlords, credit card companies, etc., rather than from consumers. When someone asks for credit, the lender will check their credit record with Equifax or other CRAs to see if they have a history of paying their bills on time.

Equifax announced a data breach affecting about 143 million U.S. users on September 7, 2017. The same notice said that some consumers in the United Kingdom and Canada had been affected but did not provide a particular number. Equifax stated that the data breach occurred between mid-May and July 2017. The data was accessed only from Equifax’s U.S. online dispute portal web service. Breached Data included: Date of Birth, Name, Address, Social Security, and Driving License Number.

CVE-2017-5638, a vulnerability in Apache Struts, was the source of the breach. The Apache Software Foundation maintains Apache Struts, a popular framework for developing Java Web applications. On March 7, 2017, the Foundation released a statement announcing the vulnerability and a patch. The vulnerability was not fixed until Equifax’s information security staff identified “suspicious network traffic” related to its online dispute portal on July 29, 2017, when it installed the Apache patch. Equifax discovered more suspicious activity on July 30, 2017, and took the online application down. The corporation contacted cybersecurity firm Mandiant to perform a forensic investigation of the breach three days after receiving the letter. According to the analysis, an additional 2.5 million Americans’ data had been compromised, raising the total number of Americans exposed to nearly 145.5 million.

Causes of Data Breach

  • Human Errors: One of the major causes of a data breach is human error. As per statistics, more than half of all data breaches are caused by human mistakes.
    Human error can result in data breaches such as sending an email to the wrong recipient or responding to a request by unintentionally releasing confidential information.
  • Device Theft/Loss: One of the second most common types of data breaches is physical theft or loss of the device. Employees’ excessive negligence results in them unintentionally disclosing passwords, losing their laptops, storage devices, papers, or phones in trains, buses, cafes, or other places.
  • Application Vulnerabilities: Every software program has a technical flaw that attackers can take advantage of in various ways. That is why the organizations in charge of those programs constantly look for and address exploits before hackers do.
    When a vulnerability in software is addressed, the software provider releases a patch, which must be installed by the organizations that use it. This must be done as soon as possible because hackers who have been informed of the vulnerability will be actively seeking organizations that are still vulnerable and not using the updated version of the software.
  • Social Engineering: External attackers use social engineering to gain access to the environment’s credentials by persuading users to hand them over. They can do this in a variety of ways, but phishing attacks are the most typical. The only strategy to identify and prevent social engineering is to train your users about what it is, how it works, and what the appropriate response is in the event of an attack.
  • Weak/Stolen Credentials: You make yourself vulnerable to external attacks if you do not have strict password standards that demand complex and regularly rotated passwords. Passwords stored in obvious physical or virtual locations are stolen by hackers who take advantage of weak or easy-to-guess passwords.

Consequences of Data Breach

  • Loss of Trust and Reputation Damage: A data breach can have severe consequences for an organization’s reputation. According to research, customers in the retail, financial, and healthcare industries will quit doing business with companies that have been breached due to loss of trust. Consumers are highly aware of the value of their data. If companies cannot demonstrate that they have taken all reasonable means to secure it, they will switch to a competitor that provides high security. Reputation damage impacts an organization’s capacity to attract new customers, future investment, and new staff.

  • Financial Loss: For many organizations, financial loss is faced because of a data breach. Various financial issues may arise depending on the nature of the breach. Organizations that suffer security breaches may face costs associated with containing the breach, paying affected customers, realizing a lower share value, and rising security costs.

  • Operational Downtime: A data breach has a major impact on organization operations from the moment your data is compromised to the whole investigation and recovery process. Data breaches can result in the complete loss of crucial data, which causes victims to spend a significant amount of time recovering. In these situations, the most typical action is to completely shut down operations until a solution is found, enabling adequate time to focus on identifying the breach’s cause.

  • Online Destruction: In some circumstances, hackers act as pranksters, and a security breach may result in minor alterations to your website’s content. While it appears to be harmless, it can do a great deal of harm. Minor changes are more difficult to notice. A hacker, for example, could alter a few letters or numbers on your contact page or include inappropriate content on your websites.

  • Loss of Sensitive Data: The consequences of a data breach that results in the loss of sensitive personal data can be disastrous. Any information that may directly or indirectly identify an individual is considered personal data like email address, IP address, and photographs. It also includes sensitive personal data, such as biometric or genetic information, that could be used to make decisions. Personal information is very important for an individual. For example, If a patient’s medical information were accidentally lost due to a data breach, it might significantly impact their medical treatment and, ultimately, their life.

Data Breach Regulations

To avoid data breaches, many industry guidelines and government compliance rules require stringent controls over sensitive information and personal data. The Payment Card Industry Data Security Standard (PCI DSS) defines who can access and use personally identifying information (PII) such as credit card numbers, bank account details, names, addresses, etc., in financial institutions and other businesses handle financial data.

The Health Insurance Portability and Accountability Act (HIPAA) governs who can access and use Protected Health Information (PHI), such as a patient’s name, date of birth, Social Security number, and healthcare treatments in the healthcare industry. HIPAA likewise governs penalties for illegal access.

Best Practices to Prevent Data Breach

  • Identify Sensitive Data: Identify all the areas that store, transmit, collect, or process sensitive data. Classify the data based on their value in the organization. Limit access information based on the concept of least privileges and enforce multi-factor authentication to access the data.
  • Limit Access to Most Sensitive Data: Organizations should prevent access to their more sensitive data. For example, there is no reason for a mailroom employee to see a customer’s financial information. When you limit who can access specific files, you reduce the number of employees who might unintentionally click on a potentially damaging link.
  • Regular Audits: Regular audits will help evaluate your security posture by identifying any new vulnerabilities in compliance or governance. A security audit will provide a more detailed examination of your security policies than vulnerability assessments or penetration testing.
  • Provide Training to Employees: Organizations can enforce a written employee policy on data privacy and security after completing security policy audits. Regular security training should be held to ensure that all employees are informed of the recently introduced policies – after all, people cannot voluntarily adopt unfamiliar policies.
  • Keep Software Updated: It is highly recommended that all application software and operating systems be updated regularly. Patches should be installed whenever they become available. When programs are not patched and updated regularly, the network becomes susceptible.