There have been several high-profile data breaches in the news lately, and some of them have been truly shocking. Most notably, the White House recently confirmed a second data breach that exposed military and intelligence personnel assets. The second breach was found unintentionally, during an investigation into the first breach. This breach compromised the personal information of government personnel, which means that millions of Americans outside the Federal government may be exposed. Many records are already for sale on darknet.
What is the cost of that breach? We may never get a true number. We can calculate things like manhours and software/hardware/vendor expenses, but what about other damages that do not come with a price stamp?
Former Counterintelligence Officer John Schindler said the damage from the Office of Personnel Management’s data breach alone cannot be undone, in part because the agency conducts background investigations for security clearance holders across many federal agencies.
“… the other side now so dominates the information battlespace that it can halt actions against them,” Schindler said. “If they get word that a American counterintelligence officer, in some agency, is on the trail of one of their agents, they can pull out the stops and create mayhem for him or her: run up debts falsely … plant dirty money in bank accounts … cause any curious officials to lose their security clearances”
Schindler concludes that some of this damage may not be reparable, “ever,” and former CIA Director Michael Hayden seems to agree:
“… hackers who obtain the information could use details from the records to try to cultivate unsuspecting U.S. officials as spies, leveraging details in the records to cozy up to midlevel U.S. officials and later develop information-sharing relationships.
How do we calculate the cost of that?
Public sector data breaches are widely reported, primarily because these organizations operate under mandatory disclosure regulations. The Verizon 2015 Data Breach Investigations Report (DBIR) does a pretty good job filtering out the “noise” so that you can get a true “apples to apples” comparison of breaches by industry. Even after this correction, public sector breaches remain among the most affected industries. Information and financial services round out the top three.
The Ponemon Institute attempts to quantify the cost of a data breach in their annual Cost of a Data Breach Study. In the most recent US report, they conclude the following:
The cost of a compromised record sets new record high. Data breaches cost companies an average of $74 in direct costs to resolve the breach, and $143 in indirect costs such as customer churn. This is a new high of $217 per compromised record. This study also concluded that abnormal churn following a breach increased by 3%, even though the average size of a data breach increased only by 2%.
The total average organizational cost of data breach increased to $6.53 million, up from $5.4 million in 2013.
Detection and escalation costs are at a record high. Detection and escalation costs increased from $0.42 million to $0.61 million. These numbers indicate increased investment in forensic and investigative activities, assessment and audit services, crisis team management, and communications to stakeholders and management.
Post data breach costs increased. Somewhat related to the above point, these costs typically include help desk activities, inbound communications, special investigative and remediation work, legal expenditures, and more. These costs increased from $1.60 million in 2014 to $1.64 million in this year’s study.
The Ponemon study and Verizon DBIR offer many more interesting findings. You can find them here:
- Ponemon – US Cost of Data Breach Study
- Ponemon – Cost of Data Breach Study: Global Analysis
- Verizon – 2015 Data Breach Investigations Report (DBIR)
Despite the best efforts to calculate costs, there are many that remain uncounted. We can probably tuck these into the “unknown unknowns” column. How many secondary victims have been affected by the most recent US government data breach? How many potential first-time customers are lost when a company like Home Depot is breached? And in a rare turnabout, what do revenge hacks like this cost the St Louis Cardinals, “one of the sport’s most revered and popular organizations?”