Corporations that don’t keep their data secure may soon long for the good old days when the “only” expenses they had to worry about from a data breach were recovery costs, brand damage, lawyers’ fees, and potential class action lawsuits.
Because soon the cost of noncompliance could dwarf everything else. First was the implementation of the European Union’s General Data Protection Regulation (GDPR) 18 months ago. Next, on Jan. 1, 2020, comes the California Consumer Privacy Act (CCPA). And numerous other pending state and federal laws in the U.S. could, in some cases, impose even harsher penalties than GDPR for failure to protect data.
So far, none of the fines imposed under GDPR have been large enough to inhibit an organization. But then, enforcement is still just getting in gear.
The maximum fine at the moment is €20 million ($22 million) or 4% of a company’s annual revenue, whichever is greater. For giants like Google, Facebook, Microsoft, and Apple, a data breach could cost them from $2 billion to more than $10 billion in damages. Not enough to send them looking for bankruptcy lawyers, but more than enough to get their attention.
And it has been another tough year for some corporate wallets. As everyone knows, all data breaches are bad, but some are much worse than others. Here is a brief list of some of the year’s most expensive data breaches and what they cost.
Date reported: July 29, 2019
Impact: About 100 million U.S. customers and 6 million in Canada
Security failure: Insider attack on a cloud-based server
Estimated cost of Capital One data breach: More than $300 million
Financial giant Capital One, one of the largest banks in the U.S., announced in July that it had discovered a breach that compromised the Social Security numbers, credit scores, and credit card transaction data of more than 100 million customers. The company said the hackers had not stolen credit card numbers and log-in credentials. But the data breach was still labeled one of the biggest hacks of a financial institution in history.
Paige Thompson, 33, of Seattle, a former software engineer who had previously worked for Amazon, was charged with computer fraud and abuse in connection with the hack, according to the Department of Justice.
Thompson, who reportedly gained unauthorized access to a cloud-based server, could face up to five years in prison and a $250,000 fine if convicted.
According to the New York Times, Thompson helped lead investigators to her by boasting about the hack on GitHub. The theft included more than 80,000 bank account numbers, more than 140,000 Social Security numbers, more than 1 million Canadian social insurance numbers, and millions of credit card applications, dating back to as far as 2005.
Capital One estimated the data breach could cost it more than $300 million.
Date reported: Sept. 6, 2018
Impact: About 500,000 customers
Security failure: Vulnerability in third-party JavaScript
Estimated cost of BA data breach: Proposed fine of £183 million ($234 million)
As noted, this data breach was disclosed more than a year ago, in September 2018. But it wasn’t until this past July that the U.K.’s Information Commissioner’s Office (ICO) proposed a record fine of £183 million ($234 million). British Airways (BA) called the incident a “sophisticated, malicious criminal attack” on its website, but the ICO described it as poor security arrangements.
The hackers were able to divert users of the BA website to a fraudulent site, where they collected customer data that included log-ins, credit card numbers, expiry dates, and three-digit CVV codes, travel booking details, and names and addresses.
The penalty would amount to 1.5% of BA’s worldwide annual revenue for 2017, less than the possible maximum of 4%. But it was still vastly more—367 times more—than the previous record fine of £500,000 imposed on Facebook over the Cambridge Analytica scandal.
And it could have been prevented. Wired was among many outlets that reported that the hacker group called Magecart exploited “a vulnerability in third-party JavaScript used on the website.”
The group is “believed to have secreted 22 lines of code that diverted crucial details around payments to a separate website controlled by the criminals. The third-party piece of JavaScript, Modernizr, sent data to baways.com—a similar-sounding website to the official one, but out of the control of the airline.”
“The vulnerability in Modernizr is a well-known one, and BA had not updated it since 2012—long after problems were known to exist.”
The actual fine may be a lot less. The ICO’s announcement was a “notice of intention.” And BA said it intended to appeal, given that it cooperated with the ICO and made security improvements.
Date reported: June 3, 2019
Impact: Personal and financial data of 19.6 million patients (11.9 million for Quest, 7.7 million for LabCorp)
Security failure: Breach of third-party collection vendor American Medical Collection Agency (AMCA)
Cost of AMCA data breach: AMCA filed for bankruptcy
Quest Diagnostics, one of the largest blood-testing laboratories in the U.S., announced in June that an unauthorized user had accessed data on nearly 11.9 million patients, including credit card numbers, bank information, Social Security numbers, and medical information, but not laboratory test results. In July, LabCorp reported a similar incident affecting 7.7 million patients. Both exposures were attributed to a data breach at AMCA, a collection agency.
Quest and LabCorp said that AMCA had informed them that an unauthorized user had access to the information between Aug. 1, 2018, and March 30, 2019.
HIPAA Journal reported that “researchers at Gemini Advisory notified databreaches.net that they had discovered the payment card details of around 200,000 patients listed for sale on a darknet marketplace. Gemini Advisory determined that the credit card details came from AMCA.”
While 19.6 million records doesn’t come close to the number compromised in other breaches, such as Capital One, it was the second-largest data breach of patient information, after the 2015 breach of 78.8 million records from Anthem.
The impact of the breach has not crippled Quest or LabCorp. But Bloomberg reported in June that AMCA lost its four largest clients, including the two noted, following the breach. Shortly after, AMCA filed for Chapter 11 protection, aiming to liquidate, citing what its lawyer described as “enormous expenses that were beyond the ability of the debtor to bear,” including $3.8 million to mail more than 7 million notices to individual breach victims.
AMCA listed assets and liabilities of as much as $10 million in its bankruptcy petition filed in the Southern District of New York.
Date reported: Nov. 30, 2018
Impact: Data of about 500 million customers
Security failure: Insecure cash registers
Estimated cost of Marriott data breach: £99.2 million ($123.6 million) in GDPR fines so far, but total may reach $1 billion
The Marriott breach is another data breach that began long before this year, but the U.K.’s ICO announced the proposed fine under GDPR this past July.
After acquiring its competitor Starwood in 2016, Marriott discovered Starwood’s central reservation database had been hacked. The data breach, disclosed on Nov. 30, 2018, was one of the worst in history, affecting an estimated half-billion customers who made reservations at Starwood properties starting in 2014. According to the ICO, about 30 million of those customers were in the EU.
The attackers remained in the system after Marriott acquired Starwood in 2016; the company did not discover them until September 2018. Marriott said on its website that customer payment card data was protected by encryption technology. However, the company couldn’t rule out the possibility the attackers had also stolen the encryption keys needed to decrypt the data.
For some victims, only name and contact information was compromised. For others, the attackers were able to take some combination of contact info, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that the attackers stole credit card numbers and expiration dates of more than 100 million customers. But the company is uncertain whether the attackers were able to decrypt the credit card numbers.
Security blogger Brian Krebs reported that Starwood had disclosed a breach in 2015 that “involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of its guest reservations or membership systems.”
According to the New York Times, the breach was eventually attributed to a Chinese intelligence group seeking to gather data on U.S. citizens. If true, this would be the most significant known breach of personal data conducted by a nation-state.
This year, Bloomberg Intelligence analysts Tamlin Bason and Holly Froum estimated the total costs at around $1 billion.
But the Wall Street Journal reported in August 2019 that the company had taken just a $126 million charge in connection with the data breach.
And Security Week reported that “unsurprisingly, several lawsuits have been filed against Marriott by both customers and investors in response to the breach. The company may have only paid a relatively small amount so far, but class actions resulting from cybersecurity incidents have been known to cost major firms tens of millions of dollars.”