Published Dec 03, 2019
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
How much can a data security breaches really cost a company? What is the cost of a few infiltrated databases and stolen customer account information? The answer ranges between millions and billions of dollars in damages paid to those whose information was lost.
Even the biggest industry names like Equifax and IBM are not immune to security breaches. In fact, you’ll probably recognize the name of every single one of the biggest spenders in security breach expenses listed below.
When a national or international brand experiences a cybersecurity breach, the cost can be crippling. In addition to astounding fines for putting customers at risk, businesses also face settlement payments to those affected. If settlements are not offered right away, the victims of these breaches — the customers and sometimes employees — are quick to form a class action that will force the issue of settlement payments.
Today, we’re here to cover the top ten most expensive security breaches in US history, and you’re sure to recognize the big brands that slipped up and had to pay out.
10) Uber 2016 – $148 million
Starting off our list today is the Uber 2016 data breach. Despite its popularity, Uber has a notorious track record of disregarding the safety and rights of those who use the service; drivers and riders alike. The 2016 data breach is no exception. Not only did Uber allow the personal details of 57 million riders and drivers to be exposed (including over 600K US drivers license numbers), but they then covered up the entire issue.
After paying $100,000 to the hackers (yes, to the hackers) to delete the stolen data, they were then discovered and fined an additional $148 million for the negligence and cover-up.
9) Sony Playstation Network 2011 – $171 million
Further back in time, Sony suffered a critical data breach in 2011. This hack of the Sony Playstation Network was one of the most exposing of all time. Not only were 77 million user accounts included in the breach, but the information stolen was unfortunately comprehensive. It wasn’t just usernames and passwords. It was names, home addresses, birthdays, usernames, passwords, and the answers to security questions. Everything a hacker would need to start stealing an identity, much less play your Playstation Network games.
The total cost of the Sony Playstation Network hack was $171 million which was particularly difficult for Sony as Japan suffered a devastating earthquake the same year, costing the company even more than the security breach.
8) Mariott 2018 – $200 million
In 2016, Mariott bought another hotel brand called Starwood and all their properties, but they didn’t overhaul the Starwood hotels’ data security when they did so. This led to an awful discovery in 2018: That Starwood’s booking system had seen a huge amount of hacker activity since 2014. That’s eight years of hacking starting two years before Mariott even purchased the Starwood properties.
In that time, over 500 million guest accounts were hacked and roughly 327 of those accounts had exposed sensitive information including names, passport numbers, and email addresses. Credit card numbers, while encrypted, were also exposed.
Mariott paid over $200 million in damages and fines, but the cost to their company in terms of trust and loyalty has been estimated as closer to $1 billion.
7) TJX 2007 – $256 Million
TJX is the parent company of TJ Maxx, Marshall’s, and Home Goods. In 2007, TJX reported that over 46 million credit card numbers had been stolen from their databases. These numbers were unencrypted and ready to use. However, with further investigation, it was discovered that the number of credit card numbers stolen was closer to 100 million wich multiplied their settlement by ten times the original estimate.
TJX paid $256 million to make things right with the customers and pay data breach fines.
6) Epsilon 2011 – $270 million
Epsilon is an email marketing service that, in 2011, was the victim of the “Hack of the Century“. While not the most costly in the long run, Epsilon was storing millions of email addresses including the email details of customers for all the major banks as well as popular retail and hotel chains. This list included thousands of personal emails from A-list clients.
After it was discovered that hackers had accessed their stored email addresses, Epsilon faced $225 million in liabilities costs with an additional estimated $45 million in lost business. Together, this made up a total cost of $270 million.
5) Target 2013 – $300 million +
Target has always been a hotspot during holiday shopping but the 2013 data breach made for a bad year. Like most retail outlets, Target relies on point of´sale (POS) devices for checkout. Unfortunately, in 2013 their POS system exposed the credit card and debit card numbers of more than 40 million customers. Further 70 million customer records including names, addresses, phone numbers, and email addresses were also exposed.
Target was forced to pay up to $39 million to banks and credit card companies to cover reimbursement after fraudulent charges made with the stolen numbers. They paid an additional $250 million in settlements and with shareholder lawsuits, their cost is pushed over the $300 million mark.
4) Yahoo 2013 & 2014 – $470 million +
Yahoo revealed a jaw-dropping double hack in 2016 relating to a hack in 2013 and another in 2014. The 2013 hack revealed user information for 3 billion accounts and the 2014 hack exposed 500 million additional users. The astounding pair of security breaches were kept under the rug for years, but the revelation damaged Yahoo considerably.
The cost to Yahoo comes in three parts. First, $350 million was knocked off the amount Verizon paid to buy Yahoo. Second, Yahoo had to pay $85 million in settlements to those affected, and was required to pay a $35 million fine to the SEC. This rounds out to an impressiv $470 million cost for the double breach.
3) Exactis 2018 – $500 million +
Exactis is a B2B services that provides marketing and data aggregation. But what they do is handle user information. Only a few months ago, it was discovered that Exactis exposed over 340 million user accounts and business contacts including personal information on both people and businesses. While credit card numbers and social security numbers are not included, minute details of each name were exposed including personal habits, along with the age and gender of people’s children.
Not only was highly personal information of millions of US adults exposed, but some of the information was collected without consent. Currently, the cost is estimated at $500 million and it is assumed the cost will be higher when all settlements and fines are fully assessed.
2) US Office of Personnel Management 2015 – $500 million
The US Office of Personnel Management (OPM) handles the personal information of millions of federal employees. In 2015, they suffered a short series of data breaches due to intrusion while in the process of improving their security. As a result, the personal information of over 4 million federal employees was exposed. OPM then dedicated $500 million to offering free credit reports and credit monitoring to the victims to minimize any negative effect of the breach.
1) Equifax 2017 – $700 million
Last and “best” of all the costly security breaches is Equifax. The credit monitoring giant has been trusted by billions of customers over the years for free and paid services monitoring, reporting, and managing credit. However, even the finance security giants aren’t safe in the current hacker climate. In 2017, Equifax suffered a major breach and a follow-up breach that together exposed the data of 145.5 million US accounts and 15.2 million UK accounts.
They spent $449 million on tightening their system and offering free identity protection to the affected accounts but the total cost is estimated closer to $700 million including settlements and industry fines. Wall Street also lowered the company’s valuation by $4 billion after the attack was revealed.
Don’t want to become the next security breach headline?