We hear a lot about the latest data breach, but we don’t always hear so much about the aftermath. Let’s look at some examples from 2017 to drive home the impact that a cyber incident can have on an organization.
Uber was a classic study in what not to do in response to a breach. After learning that almost 60 million user and driver account had been exposed via ransomware, Uber execs decided to pay the ransom instead of reporting the breach.
As a result, the CISO was immediately fired, and the CEO followed shortly thereafter. Several Senators submitted a bill to make it a legal offense for C-Level executives to knowingly conceal a data breach.
Equifax’s data breach was massive, with 143 million people exposed. They waited months to disclose the breach, then directed consumers to a hacked website which exposed the credentials they provided, and the wording for accepting their free credit monitoring initially included a statement that the consumer waived their rights to any class action suit related to the breach in the fine print.
Equifax stock lost $4 billion in market cap, and months later the stock is still down over 20%.
Yahoo was forced to discount their sale price to Verizon by over $350 million as part of the fallout from the reported exposure of a billion customer records (which later turned out to be all 3 billion users).
Yahoo’s former CEO personally lost $14 million in stock and bonus when all was said and done.
And then there are fines and settlements. Anthem settled litigation from its 2015 breach of 80 million patient records in 2017 for $115 million, a new record. VTech just agreed to pay an FTC fine of $650,000, Home Depot’s settlements had reached $25 million at last count.
These are big players, which is why we know so much about what happened post-breach, but smaller organizations need to be just as concerned. An estimated 14 million small business were hacked in the span of April 2016-April 2017, and faced with investigative, remediation, notifications, fines and legal costs, a study by the National Cyber Security Alliance found that 60% of small businesses go out of business within 6 months of a cyber incident.
Concern over the lack of preparation for a cyber incident seen in many of the SMB attacks has led to more pending legislation, the Main Street Cybersecurity Act.