Why Data Breaches Are Often Bigger Than They Say
If there’s one lesson to be learned from the number of large data breaches in the past year – besides the obvious one of ‘don’t be vulnerable’ – it’s that the initial estimates on how many records have been compromised are almost always wrong.
We’ve seen this song and dance before, though: A large organization gets breached, a story comes out with an initial number of customer records and total cost. Then, a couple of weeks later, a bevy of much larger numbers are reported. For example, the impact of the Target breach last year was first estimated at 110 million customer records compromised to the tune of $61 million in damage. A few months later, some experts said that when all is said and done, that breach could end up costing the corporation somewhere in the neighborhood of a cool $1 billion.
So what gives?
Before making wild assumptions about companies fudging numbers to assuage worried customers, there are a variety of factors involved in getting a complete picture of the damage after an information security breach. Using Target as Exhibit A, the initial $61 million estimates “includes paying the card networks to cover losses and expenses related to reissuing cards, lawsuits, government investigations and enforcement proceedings,”according to Bruce Horowitz of USA Today. Considering that initial number didn’t include loss of sales, damage in brand reputation, and devaluation of public stock, one can start to see why breaches are so expensive.
Another big hidden cost associated with a sizable breach is offering ‘free’ credit protection services to customers to salvage some trust in the brand. Assuming that Target worked out some kind of bulk rate with Experian’s ProtectMyID services (valued at $191 per customer), offering those services to all 110 million customers won’t be cheap. Keeping in mind the growing shortage of qualified IT professionals, hiring on permanent or temporary information security personnel can also cost a pretty penny. According to Indeed.com, the nationwide average salary offered to IT security analysts is sitting around $82,000.
There is also the possibility of going public with a breach before all the factors are known. In the case of the recent OPM breach, not only were 4.2 million government workers’ records breached, but now it seems that personal information from citizens that applied for government jobs has also been exposed. This means the field of possible compromised records has now widened up to 18 million, although that number can’t yet be confirmed as the official government investigation into the breach is still ongoing.
As if all of this wasn’t enough, there’s always the threat of fines from the many industry-specific regulatory bodies. While uncommon as of yet – save a few healthcare and telecom entities – a more standardized fine schedule may be on the horizon soon. With a standardized data breach notification law in the works in in Congress, regulatory compliance fines may start to rise in lockstep with the frequency of breaches.
Last, but not least, estimations on compromised data are just that: Estimations. Pinning a hard number to a data breach is difficult and likely a low-priority task in the face of the flurry of securing outbound data streams, pouring through incident records and monitoring remote access points.
As the size and frequency of information security incidents continue to rise at a steady pace, so too will the dollar figure attached to them. So the next time you watch the news and see a breaking story about a major data breach, just wait a couple of days. It’ll get a whole lot worse before it gets better.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.