$40 million. It's the biggest amount (so far) paid by a company for the release of their data after a ransomware attack.1 With the number of data breaches steadily rising, however, it's only a matter of time until this unfortunate record is broken.
According to the Identity Theft Resource Center (ITRC)2, data breaches are up 14% in 2022 from 2021, even as malicious actors roll out new attack efforts—for example, the MIPS-based ZuoRAT malware3, which resembles the widespread Mirai Internet of Things (IoT) malware and is capable of compromising a host of popular router models.
The result? Compromise is a matter of when, not if, and depending on the nature and sophistication of the attack, companies could find themselves on the hook for massive ransom or remediation costs.
But money isn't the only impact of business data breaches. In this piece, we're exploring some of the biggest breaches ever recorded, discussing common conditions that make companies more susceptible to attacks, and digging into the real-world impacts of business data breaches.
What is a data breach?
Put simply, a data breach is any security violation in which confidential or sensitive information is accessed by or moved to a person or organization that doesn't have authorization, and the definition applies regardless of the outcome.
Consider three cybersecurity cases:
- Malicious actors gain network access and simply observe data being transmitted and stored across corporate data centers.
- Attackers compromise systems, encrypt key data, and demand money for its release.
- Cybercriminals infiltrate networks, exfiltrate data, and then sell it on the dark web for profit.
While the approaches in each case differ, all three are considered data breaches. Even in the case where all attackers did was observe, the very act of viewing data they aren't authorized to see makes this a data breach.
And given the increasing number of data breaches, it's no surprise that businesses are also taking longer to detect them. According to IBM and Ponemon's Cost of a Data Breach Report 2021, the average time to detect a breach is now 212 days.4
The biggest data breaches of all time
As data breaches continue to evolve, it's worth looking back on some of the biggest breaches of all time.
1. Heartland Payment Systems (2008)
The biggest attack of its time, the Heartland breach saw the compromise of more than 130 million credit and debit card numbers and marked one of the first efforts by attackers to target financial data.5 In the wake of the attack, Heartland's stock dropped by 80%.
2. Target (2013)
The Target breach saw more than 110 records—including customer names, credit cards, and verification numbers—stolen after a breach.6 As a result, the company paid an $18.5 million settlement, $10 million in a class-action suit, and $10,000 to each customer affected.
3. Equifax (2017)
In 2017, Equifax was the victim of a cyberattack that compromised the confidential data of more than 147 million people. Under an agreement with the Federal Trade Commission and the Consumer Financial Protection Bureau, the company agreed to a payment of $425 million to help those affected7, and individuals with expenses related to the breach can still file a claim for any fraud or identity theft-related spending from January 23, 2020 to January 22, 2024.
4. Solar Winds (2020)8
The largest nation-state attack to date, the Solar Winds breach affected more than 18,000 customers and 50 organizations.8 Even more worrisome? While attackers infiltrated the network in September 2019, the compromise wasn't detected until December 2020.
What makes businesses susceptible to data breaches?
While there's no silver bullet for stopping data breaches—all enterprises will eventually come under attack—there are conditions that make companies more susceptible to breaches, such as:
- Ineffective security models: Effective security requires a layered approach. Much like a home that has an alarm system, door locks, and guard dogs, there's no single solution to solve all security issues. Lacking this approach puts companies at risk.
- Third-party risks: While organizations may have secure apparatus and infrastructure inside corporate networks, there's no guarantee that the hundreds or thousands of suppliers they work with can say the same.
- Lack of training: Security is a shared responsibility. Even cutting-edge solutions can't keep companies safe if staff—from front-line employees to C-suite executives—aren't properly trained to recognize and report threats.
The impact of data breaches
As noted by the IBM/Ponemon study, the cost of a data breach hit a new record in 2021 at $4.24 million. Combined with the tools, technology, and staff hours required to remediate breaches—along with any ransoms paid—it's no surprise that companies often focus on cost as the primary problem.
But money isn't everything. When it comes to data breaches, other key concerns include:
- Loss of trust: 86% of customers said they would leave a business after one bad experience, and a breach of personal data certainly falls into this category.9 Scale up this customer churn and the result is a loss of trust in your organization.
- Damage to business reputation: Businesses can also suffer broader reputation damage that could impact their ability to retain B2B clients or close new sales. It makes sense: if business partners can't trust organizations to keep data safe, they won't stick around.
- Prolonged IT downtime: Even if businesses manage to contain the damage caused by data breaches, there's still the matter of remediation. Ensuring systems are free of malware and vulnerabilities have been closed can mean days or weeks of downtime.
- Mishandled breach response: If companies downplay the impact of a breach or are evasive about the details, the response can cause collateral damage as customers lose confidence.
- Government sanctions: There's also a growing trend toward government sanctions for failing to report a breach. For example, the Department of Justice recently announced plans to level "severe fines" against government contractors that fail to report data breaches.10
Dealing with data breaches
While it's impossible to eliminate the risk of data breaches, businesses can begin to minimize both the likelihood and impact of successful attacks with a Collective Defense approach. Put simply, you can't defend against what you can't see—and what you can't see can hurt you. By empowering cross-team and cross-company collaboration, organizations can gain key security insights that better equip them to defend against data breaches and reduce total risk.
- Mehrotra, Kartikay and Turton, William. "CNA Financial Paid $40 Million in Ransom After March Cyberattack." Bloomberg, 20 May 2021, https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack.
- "Identity Theft Resource Center Report: Data Breaches Increase; Victim Rates Drop in Q1 2022". ITRC, 13 Apr 2022, https://www.idtheftcenter.org/post/data-breach-increase-14-percent-q1-2022/.
- Goodin, Dan. "A wide range of routers are under attack by new, unusually sophisticated malware.” Ars Technica, 28 Jun 2022, https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/.
- "Cost of a Data Breach Report 2021.” IBM, https://www.ibm.com/security/data-breach.
- Messmer, Ellen. "Heartland: 'Largest Data Breach Ever.’” CSO, 20 Jan 2009, https://www.csoonline.com/article/2123599/heartland---largest-data-breach-ever-.html.
- "Target Settles 2013 Hacked Customer Data Breach For $18.5 Million." NBC News, 24 May 2017, https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031.
- "Equifax Data Breach Settlement." Federal Trade Commission, Feb 2022, https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement.
- Oladimeji, Saheed and Kerner, Sean Michael. "SolarWinds hack explained: Everything you need to know." TechTarget, 16 Jun 2021, https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know.
- "86 Percent of Consumers Will Leave a Brand They Trusted After Only Two Poor Customer Experiences." Business Wire, 2 Feb 2022, https://www.businesswire.com/news/home/20220202005525/en/86-Percent-of-Consumers-Will-Leave-a-Brand-They-Trusted-After-Only-Two-Poor-Customer-Experiences.
- Konkel, Frank. "DOJ to Hit Government Contractors with ‘Very Hefty Fines’ If They Fail to Disclose Data Breaches." Nextgov, 6 Oct 2021, https://www.nextgov.com/cybersecurity/2021/10/doj-hit-government-contractors-very-hefty-fines-if-they-fail-disclose-data-breaches/185894/.