The Cost of a Website Security Breach

October 21st, 2019

The cost of website breach can span from government regulatory fines to increased operating costs to customer loss and others. Data breaches are extremely costly and significantly damaging to enterprises. The good news is that you can avoid them with best practices. An often overlooked and increasingly targeted attack area is an organization’s website.

Understanding the real cost of website breach can be difficult for businesses that haven’t experienced an incident. However, we’re living in a time where website security breaches are taking place daily. The widespread use of the Internet by companies to reach consumers and provide better customer experiences has also increased cybersecurity incidents. 

The number of website security breaches that occur yearly is staggering. In 2018, roughly 4800 websites were infected with formjacking code each month according to Symantec. The company reported blocking 3.7 million formjacking attacks on endpoints that year. Making robust website security even more crucial.

You Do The Work, They Steal It

This year alone, there have been 3,813 confirmed cybersecurity breaches according to The 2019 Mid-Year Data Breach Quickview Report. Resulting in 4.1 billion records exposed. The rate of occurrence is also up when compared to the same period in 2018. Also, SiteLock revealed that the average website is attacked 50 times per day in its 2018 Q1 Website Security Insider report. Now more than ever, websites need better security measures in place to protect against client-side attacks. 

Criminals find your company’s customer data extremely valuable. For example, the value of stealing credit card information online is high because of the richness of data. Credit card number, expiration date, CVV code, address, and full name can all be acquired when stolen from a website. The information is then traded on the dark web or utilized by the hacker. So any business that collects customer data including PII (Personally Identifiable Information) and financial data is a target.

Cost of Website Breach

There are long and short-term consequences of website security breaches. Short-term consequences may include: 

  • Fines from government and other agencies such as PCI DSS (The Payment Card Industry Data Security Standard), FTC (Federal Trade Commission), and others.
  • Forensic investigation costs. Organizations are responsible for conducting investigations into why a given data breach occurred. 
  • Increased ongoing operations cost. A company may be subject to remediation efforts or other compliance requirements that raise the cost.

Long-term consequences may include:

  • Losing the trust of consumers. The trustworthiness of a business is the primary driver of revenues.
  • A damaged and possibly unrecoverable reputation. Organizations may go out of business or be forced to file for bankruptcy in worse case scenarios.
  • Businesses that suffer from website breaches are often required to pay for ongoing customer credit card monitoring. Even postage notifications to millions of affected users are very costly.

Let’s look at some real examples of data breaches and the consequences those companies faced.

1. British Airways (BA)

Hackers stole the data of half a million consumers by diverting people to a fraudulent website. BA was fined £183 million for the 2018 data breach caused by first-party JavaScript compromise, which is tougher to solve. The ICO (Information Commissioner’s Office) found that BA had poor security procedures in place. This situation is a good illustration of the cost of a website breach. Plus why companies need to take their responsibility to protect customer information more seriously.

2. Marriott

An attack on Marriott in 2018 affected up to 500 million consumers. Attackers accessed customer data such as payment details, addresses, names, emails, etc. Starwood, a Marriott subsidiary was the source of the security breach. So perhaps, it may have been avoided if Marriott paid more attention to the security measures protecting customer data at Starwood.

The website hack suffered by Marriott’s subsidiary cost the company millions. The General Data Protection Regulation (GDPR) fined the hotel chain $123 million (or £99 million) for that breach. Furthermore, Turkish regulators issued a fine of 1.5 million TL (Turkish lira), amounting to $265,000 US dollars.

3. Equifax

Equifax lost the financial and personal data of 150 million people in 2017 due to a database mishap. The company also failed to inform consumers about the breach when it was discovered. Equifax waited for two weeks to do so. Hackers exploited the vulnerability in a website application used by Equifax to gain access to sensitive data. That breach cost the company $575 million (with the possibility of increasing) in settlements with several agencies. Primarily, the FTC, CFPB (Consumer Financial Protection Bureau), and all 50 US States.

4. Yahoo

In 2013, Yahoo exposed three billion accounts due to sub-par website security measures. The breach leaked the personal data and passwords of every user affected. However, things took a turn for the worse when Yahoo was attacked again in 2014, exposing 500 million accounts. The company later agreed to pay $50 million and provide ongoing free credit protection or monitoring to affected users.

5. Uber

The ride-sharing app, Uber, had 57 million users worldwide and 600,000 US-based driver accounts breached in 2016. Also, the company decided to pay the criminal’s demand of $100,000 for their silence instead of informing the public. Uber was later fined $148 million in 2018 for violating United States data breach notification laws. Additionally, the organization’s European operation was fined £385,000 for the breach, which affected about 3 million British users.

Organizations Have to Do Better

Whether small or large, businesses have to pay better attention to website security. Specifically for browser-side or client-side vulnerability. The examples discussed here are evidence of this fact. One data breach can amount to millions in dollars of short and long term financial impact for enterprises. However, breaches are dangerous for both consumers and organizations. Knowing the cost of a website breach can help you assess risk and implement strong security measures in your company.

Aanand Krishnan, CEO and Founder of Tala Security

Written by Aanand Krishnan, CEO and Founder of Tala Security

CEO and Founder of Tala Security