Understanding the True Cost of Data Breaches

When discussing data breaches, it’s common to only refer to the data or “records” that were exposed. However, there is also a very real monetary cost to any data breach which is not always considered.

Why Do Data Breaches Happen?

There are three main categories of data breach causes: human error, malicious attack, and system glitches.

Thanks to the recent IBM Security report on the costs of data breaches, we can see that it is rarely the tech side of things to blame. 75% of the time, it’s the person using the technology that’s at fault either through human error, or some form of malicious attack.

Calculating the Cost of Data Breaches

There are many factors to consider trying to calculate how much a data breach is likely to cost, but fundamentally we can break it down into four key areas:

• Detection and escalation: this includes anything a company does to detect a breach, for example, auditing services.
• Notification: once an organisation has discovered a breach, they need to communicate with not only their data subjects but also regulators and legal experts.
• Lost business: depending on the nature of the breach, an organisation could experience downtime which hits revenue, in the longer term they’ll have to deal with brand damage.
• Ex-post response: after the breach has happened, and impacted users have been notified comes the influx of queries, potential legal costs, fines, and potential offers and discounts to restore some of that tarnished goodwill.

On top of those key points, there are a couple of other factors we can take into account. For example, the cost per record varies by country and industry.

Then there’s the type of data itself. Customer PII (personally identifiable information) is the costliest and by far the most compromised type of data.

But across the board, we can see the average cost per record for small to large data breaches clocks in at an unnerving £109.

Recent Data Breaches and How Much They Cost

Here’s a look at some bigger data breaches we’ve seen since 2020, and how much they’ve cost the company.

Facebook, April 03, 2021
533 million Records 
Estimated cost: £2.7 billion

Type of data exposed: phone numbers, date of birth, locations (inc. historic data) full name, some email addresses.

In early April 2021, the personal information of more than half a billion Facebook users was leaked. Facebook declined to notify impacted users (potentially as a cost-saving exercise, as we know that notification and ex-post response are two of the key areas) after their data was scraped by exploiting a vulnerability in a now disabled feature.

Microsoft, January 22, 2020
250 million Records  
Estimated cost: £1.3 billion

Type of data exposed: email addresses, IP addresses, chat logs.

2020 was hardly started before Microsoft announced a major breach. While they didn’t cover figures, estimates peg the exposed record count at 250 million. Those records contained email and IP addresses, as well as chat logs between support staff and customers. Microsoft admitted this breach was the result of a “misconfiguration of an internal customer support database”.

EasyJet, May 12, 2020
9 million Records
Estimated cost: £37 million

Type of data exposed: credit and debit cards

In May 2020, EasyJet announced 9 million customer records had been accessed in what they described as a highly sophisticated cyber-attack. This attack came at a bad time for EasyJet, as the pandemic’s impact was starting to take hold and involved credit card data. It also led to 10,000 people joining a lawsuit against EasyJet. Depending on the outcome of this case, the £37 million estimations may move into the billions, as each of the victims may be entitled to £2,000.

Marriott, March 31, 2020
5.2 million records
Estimated cost: £37 million

Type of data exposed: names, address, some phone and emails

Marriott hotel revealed 5.2 million guests had had their data exposed after hackers obtained the login details of two employees. This was on top of an earlier breach in 2018 when one of Marriott’s subsidiaries was hacked, revealing millions of unencrypted passport numbers and credit card records.

What Can Your Business do to Mitigate the Impact?

Businesses no matter the size are not immune to a data breach. Be it carelessness or malicious intent, when you have people interacting with machines, there will always be weak spots. There is also an abundance of people willing and able to exploit those weak spots.
It’s not all doom and gloom though because there’s plenty of things that your business can start doing right away to reduce the likelihood of a data breach.

• Multifactor Authentication: The main goal of a phishing attack is for a cybercriminal to gain access to an email inbox so they can manipulate and send messages to suppliers and customers, usually asking them for money. Multifactor authentication (MFA) helps prevent these attacks as in addition to the username and password as when logging in the site will send a 6-digit passcode to your mobile phone, the cybercriminal may have your username and password, but they will never have the 6-digit code because they haven’t got access to your mobile phone, which is how MFA cuts out a good portion of these cyber-attacks. The main goal of phishing is to gain access to your email so they can manipulate and send messages to your suppliers and customers on your behalf, usually asking them for money. MFA is usually very easy and low cost to implement however is one of the biggest defences against these types of attacks.
• Security awareness training: The rise in remote working has added another layer of vulnerability, as employees use potentially insecure devices and connections to access sensitive data. So, now more than ever, employee cyber security training has the potential to reduce the risks (and potential costs) of data breaches.
• Incident response testing: Knowing what to do when the worst happens can save your organisation thousands of pounds. You must put your incident response plan to the test with simulated attacks. It’s not just the IT team that needs to be involved in testing. Everyone from salespeople to support staff should be involved. Particularly with the constantly evolving nature of threats like phishing and ransomware. 96% of data breaches originate from email but running simulated phishing attacks to prepare your team and doesn’t have to be costly or time-consuming.
• Mail Filtering: Adding mail filtering to your inbox may not be the most effective, as technology can be flawed and does not always recognise that an email is a phishing email or could be harmful, but it is still an extra line of defence. If you’re using Microsoft 365 you can upgrade to advanced thereat protect to filter your mailbox. To add an extra layer of protection you can also use a 3rd party external mail filter so that O365 is filtering your mail but so is another technology, filtering your inbox twice will further reduce the opportunity for your organisation to suffer a cyberattack. Again, implementing mail filtering is a relatively inexpensive cost per user when considering the alternative.