The Cost of Data Breaches in 2017 & What's Ahead

With the average cost of data breaches rising – including per-record costs of each breach – it’s high time most enterprises are going to have to get serious about changing their approach to infosec.

As 2017 gets further in our rear-view mirror, many are saying that 2018 should bring changes to their approach to information security. Eighty percent of survey respondents in the U.S. and U.K. say they’ll change how they approach security, with most either switching managed service providers or switching from internal to third party resources, many for the first time.

Ponemon Institute estimates an average breach cost of $3.5 million in 2017, with a 27% probability that a U.S. company will experience a breach in the next 24 months that costs them between $1.1M and $3.8M. If you multiply Ponemon’s estimated per-record cost for a breach, split out by industry vertical, many of the breaches listed at the end of this article would potentially cost hundreds of millions of dollars. There are other cost factors: Yahoo’s acquisition by Verizon saw a $350M reduction in purchase price due to a loss of 1.5 billion records. The IRS estimates that due to a scheme involving the IRS Data Retrieval Tool, used to complete the Free Application for Federal Student Aid (FAFSA), it cost the government (and taxpayers) $30 million in fraudulent tax returns. Health insurer Anthem has agreed to a $115 million settlement in connection with a breach that impacted 80 million of their customers. It’s interesting to note that if multiplied by Ponemon’s estimated per-record breach cost of $380 for the health vertical, their liability would have been over $3 billion.

Learn about 5 effective ways to prevent a data breach in this article.

What happens when threat actors themselves are breached? A group of spammers operating under the name River City Media unknowingly released their own ill-obtained data stores of Personal Identifiable Information (PII) due to backup misconfigurations, resulting in an estimated additional breach of 383 million records – this from a database discovered to have 1.4 billion records. Another spambot breach reportedly involves over 700 million records.

The number of people whose personal information has not been breached is relatively low, and lack of proper attention to security infrastructure and operations is the root cause of almost all of the most notable breaches of 2017. With Equifax, it was lack of appropriate patch management and failure to notice data exfiltration. With Saks, a website design flaw was linked to unencrypted customer data. For several others, it was a contractor that left PII available, whether by error or negligence, on AWS. Uber even tried to cover up their breach by paying off the threat actors that stole the data. To ensure the fox isn’t in the henhouse, 3rd party security providers can provide guidance and oversight, especially if reporting to CFO, CEO and Chief Legal Counsel levels of management.

What’s more, the Mean Time to Identify and Mean Time to Contain for 2017 remain respectively at 208 and 52 days, dramatically increasing breach costs. It’s not just that lack of proper controls, architecture, and policy are lacking: suboptimal incident detection and response raise the cost of a breach even higher.

Many of the breaches of 2017 haven’t released findings of the numbers of records stolen, and are still under investigation. At least 30 states in 2017 have introduced or considered security breach notification bills and resolutions, and federal legislation is being formed that would carry a 5-year prison sentence for those who would fail to notify.

Read about our cybersecurity, compliance and IT predictions in the year ahead.

The European Union’s General Data Protection Act (GDPR) carries a non-compliance penalty that is 4% of a company’s global revenues or €20 million, whichever is greater. Complying with security best practices almost becomes a cost center unto itself, not because of revenue it will gain, but because of monetary value that proper security would preserve.

Many times, I’ve heard security expenditures referred to as being akin to insurance, but they are each distinct from the other. Insurance replaces the value that is lost, while security strives to prevent the loss from happening in the first place. It’s an important difference: avoiding putting people’s information at risk is far preferable over reimbursement for costs one incurs due to inadequate security.

The most logical course of action for any business that wishes to avoid exposing sensitive data and incurring subsequence breach costs, including regulatory fines and penalties, is to use security resources that bring the most value. Appetite for CapEx and payroll vs. OpEx certainly plays a role.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_86671402_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 3 months 14 days 7 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
driftt_aid	2 years	The driftt_aid cookie is an anonymous identifier token set by Drift.com for tracking purposes and helps to tie the visitor onto the website. The cookie also allows Drift to remember the information provided by the site visitor, through the chat on successive site visits.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
ajs_group_id	never	This cookie is set by Segment.io. The purpose of the cookie is currently not identified.
AnalyticsSyncHistory	1 month	No description
debug	never	No description available.
drift_aid	2 years	No description
drift_campaign_refresh	30 minutes	No description available.
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Insights > Blog

The Cost of Data Breaches in 2017 & What’s Ahead

Notable data breaches of 2017

Did you enjoy this blog article? Comment below with your feedback.

0 Comments

Submit a Comment Cancel reply

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

Social Media

LinkedIn

Powered by Juicer

View on LinkedIn

Social Media

Twitter

Take some time to relax, rejuvenate, and recharge with Cipher and @Imperva on April 20th. Please join us at the Ivory Peacock NYC for drinks and appetizers. ...Every attendee will receive a FREE Massage Envy gift card. Register Here: https://bit.ly/42xupu1

Social Media

Facebook

Cipher | Continuously improving your cybersecurity posture and visibility#Cipher #cipheraprosegurcompany #ciberseguranca #threats #visibility #XMDR #cipherplatform ... See MoreSee Less

Ver no Facebook
· Share
Share on Facebook Share on Twitter Share on Linked In Share by Email

Insights

Whitepaper

Dig into the details of cybersecurity and regulations by reading our exclusive white papers. Each paper is written by an expert at Cipher and full of insight and advice.

Learn more