A typical data breach can happen within minutes. However, discovering the attack is a different story and can take a lot longer depending on your security stack and approach. Meanwhile, the consequences of the subsequent data leakage can last years. Verizon's "2021 Data Breach Investigations Report" findings detail how long it typically takes to detect a breach while the malicious actor is already working next steps in the attack chain. “This year we decided to take a look at which breach types take the longest to discover (Figure 39) … we were also curious what kind of data was the fastest to be compromised, and that turns out to be Credentials. This is particularly the case in phishing, which typically goes after the victim’s credentials for use in gaining further access to their chosen victim organization.”
The consequences of compromised data are vast and can have severe impacts. It comes as no surprise that PwC’s 2021 Global Digital Trust Insights report highlights just how much organizations are coming to terms with this. Businesses are investing more, increasing their cyber budget by roughly 55% and headcount by 51%. Companies are also focusing on where they need to change their cyber strategy, with 50% stating “that cyber and privacy will be baked into every business decision or plan” and 72% planning to “strengthen cybersecurity posture while containing costs.”
In today’s hyper-connected world, these breaches are a looming threat for many organizations as well as individuals. Security teams are no longer asking themselves if an attack is on the way but when and how best to plan. The far-reaching effects and wide range of risks businesses face after falling victim to a data breach can be damaging in countless ways and piecing together the aftermath can be very costly. Let’s review the top four damaging consequences of data leakage in more detail.
Adverse Damage and Consequences of Data Leakage
The ZeroFox threat intelligence team took a closer look at the April 2021 Facebook data leak, illustrating the impacts to executives, enterprises and the growing public attack surface. This is an excellent example of a real-world incident and the lasting effects that can follow, even when the data leak itself “doesn’t seem so bad.” Malicious actors aren’t picky about how “old” data is either, as it can still be used effectively in an attack. Zack Allen, Senior Director of Threat Intelligence at ZeroFox, summarized what hackers do with this data afterward in a Wall Street Journal follow-up article.
“Hackers often release data for free once it has been circulated long enough. Scammers could use data from the breach to send malicious text messages. They could potentially try to take over some phone numbers using a SIM swapping technique, where they use the personal information stolen in the hack to swap the phone number onto another device. It’s a fallacy to believe that old data is bad data. For example, the LinkedIn breach from the early 2010s was used by the Guild of the Grumpy Old Hackers to guess former President Donald Trump’s Twitter username and password in 2016.”
After ZeroFox research obtained the data dump, email addresses were parsed out, and the team found approximately 2.5 million unique, non-Facebook emails. There was speculation that the risk in this instance wasn’t as high, considering passwords were not leaked. This couldn’t be further from the truth and serves as an excellent example of how far “minimal” PII data can be taken. In this instance, threat actors quickly moved to use this data to target specific Facebook accounts and obtain phone numbers as well as other PII to ensure successful attacks in the future. So, what’s in a number? Phone numbers have been increasingly used for identification and authentication; changing a phone number isn’t as easy as updating a password. This breach provides a threat actor the ability to leverage doxing, SIM swaps, phishing, account takeover and more.
Determining whether your data has been leaked is crucial, and monitoring for this on the dark web is a good place to start. The sale of personal data on the dark web has become hugely popular over recent years in the wake of so many high-profile data breaches. Login details, bank account numbers, medical records, passwords, passport numbers, driving licenses, address details and more are all highly valuable pieces of data for criminals. Protecting this type of data is vital as the impact of it being leaked can easily lead to revenue loss, reputational damage, operational disruption, and regulatory sanction, just to name a few.
Lost Revenue and Impact on Finances
Financial impacts are typically the first thing that comes to mind for most business leaders. This can vary depending on the type of data leak, but usually, victims have to tackle costs stemming from damage control. This might include increased security measures, investigation of the breach, reactive steps to contain the breach, compensating those affected, such as customers, decreased share value and legal fees. Although it can be challenging to predict how financials might be affected, history shows the losses are significant. Studies show 95% of computer data breaches that led to losses came in at roughly $30,000 on average but climbed as high as $1.6 million in some cases.
Brand Value and Reputation
Imagine reaching a wider audience based entirely upon a recent data breach spotlighted in the news. The damage can be devastating and very difficult to reverse, especially if the instance could have been avoided with proper security measures in place. Customer loyalty, negative press, impersonation and identity theft, and employee’s views all come into play. This can leave a lasting impression with long-term hurdles and devastating outcomes to an organization’s reputation. With the world looking at you after a breach and those impacted waiting for answers, it’s crucial to ensure each step that follows is handled correctly and timely. Otherwise, the impacts will continue to grow and can lead to losing both current and prospective customers, investors, employees and more.
Business operations can very well come to a screeching halt following a data leak. The entire mission changes within minutes, focusing all efforts on investigating and containing the attack itself. Operations may need to be completely shut down while investigation and recovery are underway, and this can take anywhere from days to weeks, depending on the level of the breach. This timeline can have a massive effect on revenue alone, not to mention operations as a whole. According to a 2014 study by Gartner, the average cost of network downtime is roughly $5,600 per minute. This equates to average costs between $140,000 and $540,00 per hour, depending on the organization and industry affected.
Risk of Legal Action and Litigation
Regulations regarding data protection legally bind organizations to ensure all steps are taken to avoid a leak. When it comes to personal information, this can even lead to class-action lawsuits. Regulations don’t care whether or not an organization had good intentions, and those affected expect compensation.
A recent CSO article highlights the top fines and penalties seen so far. Following a massive 2017 leak, Equifax “agreed to pay $575 million -- potentially rising to $700 million -- in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s "failure to take reasonable steps to secure its network." Following a 2014 leak claiming to be the largest “point-of-sale system” breach in history, Home Depot “reportedly paid out at least $134.5 million to credit card companies and banks as a result of the breach. In addition, in 2016, Home Depot agreed to pay $19.5 million to customers that had been affected by the breach, which included the cost of credit monitoring services to breach victims. In 2017 the firm agreed to pay an additional $25 million to the financial institutions affected by the breach that could be claimed by victims and cover banks’ losses.”
Additionally, legal fees must then be factored into the payouts you see in the news. The costs continue to climb if authorities enforce restrictions until legal investigations are complete. All of which adds to further long-term hurdles.
How to Prepare for and Remediate Consequences of Data Leakage
Each of the top four consequences of data leakage we’ve reviewed are closely intertwined, which is what makes each of the after-affects incredibly difficult to keep up with and mitigate effectively. With cybercriminals using public platforms including paste sites, code repositories, dark web forums and the deep web to mine and share leaked or stolen data, protecting your organization and customers from breaches and information leakage is critical. The consequences are simply too severe to ignore.
All of this needs to be done while considering that any remediation actions are likely to be reactive. The data may already be out there, and the damage may have already been done. Measures may need to focus on root cause analysis and how existing controls failed, which in itself can be valuable by leading to the implementation of a more robust security framework. Learn more on next steps to identify breaches and data leakage and request a demo to see precisely how ZeroFox can step in to help you along the way.