2015 was called the year of the breach with groups like Target being compromised and losing around 30 million credit card numbers, and OPM losing the list of government employees with a security clearance. That would make 2016 the year of the mega-breach. The Identity Theft Research Center (ITRC) recorded 1,093 breaches last year, with a known total of 36.6 million records being exposed or stolen, but estimates now put that number well over 1 billion records and a total of 4.8 billion records exposed since 2013. With devastation on that scale, it begs the question of how much does a data breach actually cost?
In recent news, the purchase of Yahoo by Verizon has been dominating headlines. Not really for the acquiring of the market share of Yahoo by online behemoth Verizon, but rather the information that has been disclosed as a result. In this case, that Yahoo had several breaches which it never disclosed. The original sale price was being negotiated at $4.8 billion, but as the information came out, the final negotiated price had been cut by $350 million, bringing the total buyout price to $4.45 billion.
Currently the average cost per record lost in a breach is $221, which is the highest it has ever been. The average cost for a business that has been breached is $7.01 million. The FTC has begun taking a more proactive role in holding businesses accountable for losing customer data. This is great news for consumers because this means that if a business is being cavalier about their data storage and/or processing policies they are now going to face actual fines and real consequences. However, the flip side of this is that if a business does everything right, they can still be breached, as most pentesters can attest. How do we as a culture balance the carrot and stick in legislation and policy?
The answer is still unclear, legislation as a way of controlling security is something which is largely undesirable. The overall cost to a company regarding a breach in things that are less straight forward, like consumer confidence, cost of offering identity theft protection and credit monitoring, and potential fines may change the amount of cost to the business. The real issue at hand is what does it cost the consumer in losses from fraud, card replacement, and potential identity theft. While these answers remain a bit more ambiguous, one thing is certain. We as consumers should be more vigilant than ever when looking at the companies we do business with. We as security professionals, however, have an even greater responsibility. We are responsible to make sure we keep consumers safe with good technologies, good policies, and good education and testing.