Feb. 7, 2019 —
The battle against hackers and online criminals seems almost unfairly tilted to their advantage. After all, hackers just need to find one vulnerability, while companies must secure all possible vulnerabilities to keep their data secure.
While data security is a hard enough challenge for professional technology companies to manage, all kinds of companies from retailers to health care providers have your personal information, and they have to maintain security even though their core focus is elsewhere.
The result is that we’ve seen monumental breaches of personal data over the last decade, and the problem is only growing worse. In the last few months alone, companies ranging from Marriott and Discover to Reddit have notified users about data breaches, ranging from minor to severe.
In this article, we’ll review trends in data breaches, quantify how big the problem is and how much it costs companies in different countries and different industries. The data on security breaches reveals the scale of the problem: Breaches are increasing, they’re big (up to 3 billion accounts have been hacked at a time), and they’re especially costly in industries like healthcare and in countries like the United States.
A data breach is an unauthorized release of secure or private information into an unauthorized environment. These breaches can range from “hacks” from external sources or a company inadvertently making confidential information public.
Breaches range in severity on two dimensions: the sensitivity of the leaked data and whether that data is encrypted or not. Sensitive data could include things like credit card numbers, passport numbers, or the password to your email address or bank account. Even data that might not seem sensitive actually could have unforeseen consequences: Your birthdate could be used to open up accounts in your name when paired with other stolen information or if you re-used a password for opening up an account on a new social network you never really used (that was later hacked) for your bank account, you could be in serious trouble.
Because so many kinds of data are sensitive, what’s perhaps most important is whether the company that was hacked had encrypted your data or not. Unencrypted data, where your information is stored in “clear text” on a company’s servers means that if the company is hacked, the hackers have your data.
However, most companies today will encrypt sensitive data so that the data they store is jumbled unless you have the encryption key, which is hopefully stored separately from the data so it’s unlikely hackers steal both. As a result, sometimes when you hear about a large data breach in the press, the stolen data is encrypted which makes it mostly unusable for the hackers.
With that background on data breaches in mind, let’s dive into the data documenting the frequency and depth of these security incidents.
It’s not just your imagination, data breaches are becoming much more common in the United States. The Identity Theft Resource Center (IDRC), a non-profit tracking reported breaches at US businesses, government agencies and other organizations provides the count of incidents per year. In short, data breaches are becoming increasingly common:
By 2018, the number of breaches skyrocketed to 1,244 per year from just 157 in 2005. In the course of just over a decade, the breach frequency has increased over eight times. According to IDRC, while there is an increased amount of criminal activity driving this increase, some of this increase is because companies are more diligent about actually disclosing hacking incidents (due to new laws and norms about timely disclosures).
The number of breaches is on the rise and no one is immune, not even the biggest tech companies in the world. The following shows the largest data breaches of all time, as ranked by number of accounts compromised:
The largest data breach in the world took place at Yahoo in 2013, a technology company, where all three billion user accounts were compromised by hackers. As the full extent of the Yahoo breach became public during its acquisition by Verizon, the purchase price was reduced by $350 million dollars.
Some of the data compromised in these cyber attacks has been extremely sensitive. Adult Friendfinder in 2016, a network of adult content and dating sites, had all of their user account information stolen, including emails and passwords. Target, the retailer, had their customer database hacked and actual credit card numbers were stolen.
When database hacks can reveal illicit relationships or credit cards numbers to criminals, it’s not surprising that data breaches are expensive for the companies that are compromised. A study by the Ponemon Institute, a data security research firm, puts the average cost of a data breach at $3.86 million per breach globally, or $148 for each record stolen.
What are the component parts of the hefty price tag associated with the breach? The Ponemon Institute calculates four costs associated with breaches:
- Detection and escalation: Conducting the forensic identification to verify the cost and crisis management communication
- Notification costs: Communication campaign to let customers and regulators know of data breach
- Post data breach response: Processes to help affected customers such as credit monitoring, as well as government fines and legal settlements
- Lost business cost: The damage to the brand and diminished ability to win new business and retain customers because of the breach.
What’s more is that these costs can vary dramatically by geography. The following chart shows the average data breach cost by country or region.
The United States is the most expensive country in the world to have a data breach, where the cost is $7.9MM, double the global average. In geographies with more developed economies, the cost of lost business, fines and customer lawsuits can add substantially to the cost.
The cost per data security incident can also vary based on industry. The following chart shows the Ponemon analysis of the average cost per stolen record in a breach by industry:
The most expensive industry for a data breach is healthcare, where the data can be especially sensitive and is governed by specific laws (in the United States at least) setting high data standards and penalties for failure to adhere to those laws.
For companies that are looking to prevent data breaches, there is good news and bad news.
First the bad news. Malicious actors are out to get you. Approximately half of all of breaches are caused by criminal actually, while about a quarter of incidents are human error or system glitches respectively. For malicious attacks, the tactics employed by hackers are relentless, varied and sophisticated.
The good news is that security incidents are preventable and the cost of doing so is less than the cost of a data breach. The Ponemon report estimates that the cost to deploy a security automation averages $2.88MM, substantially less than the cost of a security breach in most major economies.
What can a company do to stem the ever present tide of hackers attempted to gain access to its data? A series of tactics can help prevent or mitigate data breaches:
- Encryption. Any sensitive data can be encrypted so that even if it’s stolen it has limited value
- Updating and patching software. As vulnerabilities are found in software, ensuring your company’s infrastructure is up to date.
- Identity and data management. Making sure that if an employee’s personal or business accounts are hacked, the impact on the organization is only limited
- Education. Making sure employees know that many hacks begin with seemingly innocuous emails designed to gain account credentials
- Continuous monitoring. Implement a solution where threats are detected continuously rather than on an ad hoc basis
Over the last decade the number of reported data breaches has risen substantially, and all data indicates that trend is likely to continue. If there is any silver lining to the rash of security incidents, it is that there is a growing awareness that no organization is immune from hackers’ interest and companies, governments and nonprofits are starting to take data security very seriously.