More Money, More Problems: The Most Expensive Data Breaches in History

By Brittany Demendi / Adlumin, Inc.
May 5, 2022

Data breaches are more expensive and detrimental than you expect. Why? Companies are not just paying for the immediate repair of the breach but the aftermath that comes with it. The follow-on effects include not just financial consequences such as lost productivity and revenue but reputational damage and employee attrition. Additionally, these effects can play out over the best part of two years.

A company’s size can also contribute to whether there is a chance of recovery. For example, “60% of small businesses fold within six months of a cyber-attack,” according to Inc. This statistic makes sense when considering that the margin for error is negligible in many businesses that live month to month in terms of solvency. Consider Mossack Fonseca, a little-known law firm in Central America but remembered (if at all) as the epicenter of the Panama Papers scandal. In the wake of a cyberattack, “reputational deterioration” led to the demise of the firm.

Large or small, it is clear that no one company is safe from breaches. Even with many companies folding after an attack, some high-profile companies have worked their way back up after almost business-fatal breaches. Let’s dive into some of the most expensive data breaches to date.

  1. $190 Million – Capital One

What happened?

A hacker broke into a server at Capitol One and gained access to over 100 million customers’ accounts and credit card applications. In addition to 140,000 Social Security numbers. Capital One agreed to pay $190 million to settle a class-action lawsuit.

  • Year: 2019
  • Location: Seattle, Washington
  1. $1.4 Billion – Equifax

What happened?

In 2017, the personal information of over 147 million people was exposed and stolen from Equifax, a credit reporting agency. Equifax faced a lot of backlash and was criticized for its lack of security and response to the breach. Due to failure in patch management, they were hacked through a compliant web portal. Their internal process lacked entirely, and now they suffer from a substantial financial hit.

  • Year: 2017
  • Location: Headquartered in Atlanta, Georgia 
  1. $4 Billion – Epsilon

What happened?

After years of recovery, Epsilon, an international marketing company of Alliance Data Systems Corp, comes in first place for the most expensive data breach. The breach affected 75 companies, including Target, Chase, JP Morgan, and Best Buy. Epsilon houses 40 billion emails annually and 2,200+ brands internationally, so you can imagine the impact this had on customers. It is estimated that only 3% of email addresses were exposed, resulting in them losing $45 million worth of business.

  • Year: 2011
  • Location: Headquartered in Irving, TX

Additional Notable Breaches:

  • Travelex was hit by ransomware, lied about the attack for months (called it a maintenance issue), and finally folded.
  • Starwood Marriott had information of over 500 million guests stolen. Marriott inherited the cost of the breach two years after they acquired Starwood—M&A means assets plus liabilities.
  • Yahoo lost billions in value post-hack during the acquisition by Verizon.
  • US Office of Personnel Management (OPM) experienced over 21.5 million individuals’ background investigation records stolen. In addition, the personal data of 4.2 million former and current Federal government employees was stolen.

Solutions: How to Protect Your Organization

The cost of a data breach is not the only misconception harbored by business leaders. The notion that these attacks are impossible to stop is another. This second fallacy is more damaging because it creates a sense of impunity or fatalistic surrender. It admonishes the company from taking any responsibility in the wake of a data breach. In other words, you can protect your business from sophisticated cyberattacks, and you must defend. Regulators, court decisions, and denied insurance claims are finally beginning to counterbalance this skewed narrative.

As an organization, you may not have control over whether a cybercriminal will go after your data or not, but you do have control over the steps to take to mitigate the risk. Typically, it is best to invest in a managed security services platform that does the heavy lifting for your IT team. These platforms are built to discover threats, malfunctions, and IT operation failures in real-time. You can also receive updates that go directly to your phone and email about what is going on within your IT environment. The managed security platform you choose should be built on the following three components:

  1. Network Health and Compliance
  • This feature will keep your organization’s compliance up to date while actively searching for violations in real-time and keeping you informed.
  1. Detection and Artificial Intelligence
  • A platform that gives you AI and machine learning in the form of User & Entity Behavior Analytics (UEBA) to automatically write (and re-write) your SIEM rules dynamically as your network traffic changes.
  1. Data Research and Log Management
  • With one quick step, all user and account activity can be correlated. A security analytics platform allows you to quickly scope out a potential breach using advanced research tools that help visualize access for every account and system on your network.

In addition, for complete visibility into your enterprise network, there are 24/7 Security Operations Center (SOC) services available. This service can provide you and your IT team with 24/7 monitoring of every system and account on your network. There is a light at the end of the dark tunnel for options for protecting your customers, employees, and organization. The great news is that these options are available as all-in-one solutions and are cost-effective.

Next Steps

If you’re interested in learning more about data breaches, check out Data Breaches: Uncovering the Unknown. Or, if you are looking to enhance your organization’s security, request a demo with one of our experts.