The High Cost of an Application Security Data Breach
In the wake of the Sony Security Breaches (breaches, you say? As in plural? Yes, read on for more information) I decided to update some of our instructor led training slide decks.
The first few slides of our security awareness courses include a number of slides intended to scare people into paying attention to the threat of security issues. We do this by showing the largest, most costly and most impactful data breaches and security vulnerabilities in recent history.
Instead I scared myself. There is no statistic I could find to show that things are getting better or more secure in general.
I should say before I list off all these terrible statistics that largely the companies we work with are, in fact, getting more secure over time. I've seen some of our clients go from unknowingly writing insecure applications to having robust and mature Secure Software Development Lifecycles that drastically reduce the overall number of issues we find in quarterly assessments. These micro-trends, unfortunately, seem to be the exception to the rule.
These companies should also stand as a reference point for other companies who are finding themselves a target for attackers or that fear they are not doing enough to protect themselves and their customers from this type of attack.
Another correlation a colleague of mine, Tom Samstag, found while researching is the negative attention of a large data breach. After public attack hackers seem to swarm in, focusing their attention on other arms of the company. This makes sense from the attacker's perspective, the initial breach acts as a beacon to identify companies that do not have proper security measures in place.
We see exactly this happening to Sony right now.
One month after their infamous Playstation Network breach on April 26th Sony BMG suffered another breach on May 23rd, then Sony Pictures was hacked less than two weeks later on June 2nd. It seems the hackers smelled blood and came running, I wonder what will be next?
Of course it's easy to pick on Sony, but they're not the only company who has lost large amounts of data in recent months, far from it.
PrivacyRights.org tracks all data breaches, they report there have been 533,686,975 records breached in 2,511 Data Breaches since 2005. There are a lot of recognizable names in that list as well, chronologically speaking: Sony, WordPress, The Texas Comptroller's Office, Health Net Inc., Jacobi Medical Center, and American Honda Motor Company. Those companies have all lost more than one million records each in the last 6 months. Let me repeat that:
The companies named above have all lost more than 1,000,000 records each in the last 6 months.
In a recent Ponemon study it was found the average cost per record lost for the offending company was $214 per record, up from $138 per record in 2005. In this way Sony got away for cheap if the most recent numbers are correct in that their PSN breach only cost them $171 Million.
The study went on to conclude indirect breach costs, such as the loss of customers, outweigh direct costs by nearly 2 to 1. That means Sony could lose another $342 Million in customers, market share and customer confidence. In 2010 other companies spent, on average $7.2 Million per data breach. Talk about consequences!
Unfortunately it also seems more vulnerabilities are being found in software. Likely due to insecure coding practices, insufficient security measures and controls, lack of training, and the attacker threat increasing almost daily. According to an IBM study there were 4,938 vulnerabilities found in 2005, 6,543 in 2007, 6,737 in 2009 and 8,562 in 2010. See graph to the below for more data points.
If you've been waiting to see who has lost the most records in recent history, you can check out the PrivacyRights.org website, or Here is my list of shame: the most recent breaches that have lost more than 1,000,000 Records.
- Sony Playstation Network
- 101.6 Million records lost
- Texas Comptroller's Office
- Health Net Inc.
- Jacobi Medical Center
- American Honda Motor Company
- Educational Credit Management Corporation
- U.S. Military Veterans
- Heartland Payment Systems
- Royal Bank of Scotland
- Countrywide Financial Corp
- University of Utah Hospitals and Clinics
- Bank of New York Mellon
- 12.5 Million records lost
- TJX Corporation
- 6.3 Million customer records lost
- Hannaford Bros
- 4.2 Million CC#’s records lost
- Fidelity National
- Georgia Dept. of Community Health
- 2.9 Million medical records lost