[BreachExchange] Adding Up the Full Cost of a Data Breach

[Audrey McNeil]

https://www.skyhighnetworks.com/cloud-security-blog/
adding-up-the-full-cost-of-a-data-breach/

Data breaches are happening all the time; often they hit the news for a
short while then they are replaced with the latest list of victims, so we
thought we’d review a data breach from a year ago and look back at the
total cost to the company involved. The data breach took place in October
2015 where a UK service provider (TalkTalk) was the victim of a DDoS attack
and a SQL injection to extract the data.

Background

TalkTalk suffered a data breach in October 2015 resulting in the theft of
personal data. Full details of the loss are available in other articles, so
there’s no need to go into the technical details here.

There was a huge amount of publicity in the UK, during the first few days
the situation and amount of data lost were not clear. In the end, 156,959
sets of personal details were stolen and 15,656 of these included bank
account details. The company contacts each of its customers trying to
reassure them and provided a free credit monitoring subscription for a year
in case other data had also been lost and was misused.

In the following financial results, the company admitted to lost customers,
direct costs to the business of £60,000,000 and a revenue drop of
£80,000,000. A subsequent review of the total market showed that they had
lost 4.4% market share.

On year later, in October 2016, TalkTalk was fined £400,000 by the
Information Commissioner’s Office (ICO) for the incident. The fine is the
highest ever imposed by the ICO, with TalkTalk’s lack of cybersecurity
cited for the amount. The Information Commissioner, Elizabeth Denham, said
that TalkTalk’s “failure to implement the most basic cybersecurity measures
allowed hackers to penetrate systems with ease”. While in the eyes of some
the fine may seem high, it’s only £2.50 per impacted customer.

This breach can be examined further and there are key lessons all
businesses should learn.

1. The total cost of a data breach isn’t always obvious

While the £400,000 fine is substantial, it’s really just the tip of the
iceberg in regards to how much the data breach actually cost. There were so
many other financial repercussions which, to some other firms, may have
been fatal. There was the 11 percent drop in share price, as well as the
loss of 101,000 existing customers and potential future ones. All in all,
when remediation costs are included too, TalkTalk calculated that the
breach cost it more than £80 million in revenue. That’s hardly pocket
change.

2. Acquisitions and demergers affect cyber risk

When Carphone Warehouse purchased the UK subsidiary of Tiscali, the
business was merged with TalkTalk, which it also owned at the time.
Following the data breach, the ICO’s investigation revealed that the
hackers had gained access to the customer database through vulnerable web
pages that had belonged to Tiscali. When companies join or split, how the
action impacts IT systems must be managed, regardless of how insignificant
they may seem. Systems will have different parentage, which can impact how
effective a cybersecurity solution or process is, leaving potential access
points unguarded.

3. Patching and updating can mitigate some of the risks caused by aging
systems

It’s no great surprise that older systems are more vulnerable to cyber
attacks than newer ones. Yet, some businesses continue to rely on aging
systems without patching or updating them, which is simply making things
even easier for cybercriminals. The targeted Tiscali web pages had not been
patched for three and a half years and the backend database is no longer
supported by the supplier. When you consider the rapid pace of cyber threat
evolution, that’s the equivalent of leaving the windows and doors open.
Businesses must ensure they are patching on a regular basis and setting
aside time for major updates.

4. Warnings and red flags should be investigated

TalkTalk has and will continue to face scrutiny for its handling of the
debacle, but one of the biggest criticisms is that it did not investigate
numerous warnings that something was wrong. While it was the October 2015
data breach that made these particular headlines, TalkTalk customers had
fallen victim to scams due to a previous breach and the regulator’s
investigation found there had been two previous SQL injection attacks in
the previous three months but TalkTalk were not monitoring those particular
webpages. Whether the company ignored the warnings or was simply ignorant,
businesses should investigate any signs that an issue exists. This also
includes red flags generated by cybersecurity systems. Almost a third of
companies suffer from alert fatigue, due to their general frequency and
numerous false positives, and do not investigate.

5. Communication plans are essential

How a company communicates a data breach is vital in mitigating the
potential damage to reputation. If customer data has been compromised, they
need to be made aware of it, with the need even more pressing if bank
details are taken. To ensure all stakeholders are reassured that the
situation is being handled, firms must have a communication plan including
draft email, letter and script templates in place so they can be issued
immediately, unfortunately TalkTalk’s initial responses fanned the flames
due in part to lack of preparation as well as slow identification of the
total data loss. While companies must be proactive with their
communications, they must also have the necessary resources to deal with
customers calling in. TalkTalk customers faced long holding times when
ringing to find out more information, compounding anger further.

6. EU GDPR will increase fines

The ICO’s fine is a record amount, but TalkTalk is fortunate that the
breach took place before the EU GDPR comes into force in May 2018. The new
regulation will see potential fines increase to four percent of global
turnover or €20 million, whichever is higher, in TalkTalk’s case this could
mean a fine of around £73M, roughly the same amount as their profit in
their last financial year.

7. EU GDPR enforces disclosure

The GDPR demands disclosure of all data loss incidents of unencrypted data;
any company that experiences data loss, regardless of whether it’s their
fault or a third parties’, will have 72 hours to disclose it to the
regulators and have to inform data subjects “without delay”, so being able
to investigate data transfers and monitor cloud use will become essential.

8. Cybersecurity is a boardroom issue

If a company were to take only one lesson away from TalkTalk’s breach, it’s
that data is now the crown jewels of any business. Not only will it help
drive sales and growth, but mishandling it can lead to severe fines and
even closure. It needs to be treated with the utmost respect and that means
understanding that cybersecurity is now a boardroom discussion. For too
long it has been considered the remit of IT but, with so many areas where a
business can become vulnerable, it must now be an enterprise-wide endeavour.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161116/eb66e588/attachment.html>