Data is considered one of the most valuable resources in existence, and organizations commonly collect, process, and store massive amounts of valuable data. As a result, it is not surprising that the data breach is becoming increasingly common and expensive.
Data breaches can be ranked in a couple of different ways, including by number of records breached and how much they cost the breached organization. In this article, we’ll look at the three data breaches that cost organizations the most in 2019 and some of the lessons that can be learned from these incidents.
Capital One – $300+ million
A breach of Capital One is the most famous breach of 2019. In July 2019, the company reported a data breach that leaked a great deal of its customers’ financial information. This breach was unusual for several different reasons. The first is how the breach was discovered.
Most data breaches are discovered months later after detecting anomalies on the compromised system or seeing stolen data for sale on the Dark Web. This one was revealed when the cybercriminal bragged about her exploits on social media.
The Capital One breach is also significant because it demonstrates the importance of properly configuring an organization’s cybersecurity solutions. In this case, an improperly configured web application firewall (WAF) was used in the attack.
The WAF had administrator access to every part of the organization’s AWS deployment and was vulnerable to a server-side request forgery (SSRF) attack. The attacker, a former AWS employee, was able to exploit these two issues to exfiltrate data from Capital One’s cloud deployment.
British Airways – $234 million
The British Airways data breach demonstrates the potential cost and impact of being a victim of a web skimmer attack. Web skimmers, like those used by the Magecart hacking group, are designed to infect legitimate businesses’ payment pages and steal the credit card data that users enter into these pages. This data is then packaged up and sent to a cybercriminal for use or sale on the black market.
While British Airways was actually breached in 2018 (with the public report in September of that year), the true cost of the breach didn’t hit until July 2019. British Airways is covered under the European Union’s General Data Protection Regulation (GDPR), and it took until July for the UK’s regulatory office, the Information Commissioner’s Office (ICO), to complete their investigation and decide on a fine to be levied.
The result was a record-breaking fine of £183 million (about $234 dollars). To put the fine into perspective, GDPR regulators only levied about €56 million in fines (about $61.6 million) in the first year of enforcement (May 2018 – May 2019), a little over a quarter of the British Airways fine. The fine levied by the UK ICO against BA demonstrated that GDPR regulatory authorities intend to take their duties, and their enforcement powers, seriously.
While the GDPR fine is the most obvious cost of the breach, the actual price tag is likely much higher. Investigations, notifications, and other post-breach activities also cost money. This breach demonstrated the importance of ensuring that an organization’s web presence is secure and regularly monitored.
Marriott – $123.6+ million
The Marriott hotel breach is another case where a breach from the previous year (reported in November 2018) had a price tag that came much later. The $123.6 million penalty levied against Marriott was announced by the UK ICO around the same time as the BA fine. However, the incidents were very different.
In the beginning, the Marriott data breach didn’t involve Marriott at all. In 2015, Starwood, one of Marriott’s main competitors, was breached by a cybercriminal. This attacker gained access to Starwood’s central reservations database, which contains a great deal of information about their customers (name, address, payment card data, passports, etc.).
Marriot came into the picture when they acquired Starwood in 2016. During their due diligence and post-acquisition activities, the breach was not discovered. In late 2018, the organization finally noticed the anomalies on their network that indicated the presence of an attacker and launched an investigation that revealed the extent of the breach.
The fines levied by GDPR regulators against Marriott demonstrated several things about how the regulation was enforced. First, the regulators are clearly willing to levy fines for breaches that begin before GDPR went into effect (May 2018) if the attack is ongoing. Secondly, the authorities intend to protect consumer data against all forms of negligence, including failure to properly perform cyber due diligence during mergers and acquisitions.
The GDPR fine against Marriott would have been record breaking if the British Airways fine hadn’t been announced first. However, the fine is not the extent of the data breach costs to the organization. Total costs are anticipated to reach as high as $1 billion.
Data Protection in 2020
The data breaches in this list had the highest calculable price tags in 2019. However, this doesn’t guarantee that they were actually the most expensive. In some cases, a data breach puts an organization out of business, like the Quest Diagnostics and LabCorp breach in 2019, which costs the company all future revenue as well.
As the regulatory landscape grows and evolves, the cost of data breaches is likely to only go up. The California Consumer Privacy Act (CCPA) went into effect January 1, 2020, enabling regulators to levy heavy fines in the event of a breach. As a result, deploying strong data security solutions is even more important to a company’s bottom line in 2020 than it was in 2019.