Feb 11 2016

The Impact of Cybersecurity’s Top Breaches of 2015 – cyber incidents get bigger and go mainstream

cyber-threat-calendarTarget’s 2013 cybersecurity breach captured the attention of average Americans in a way that no previous incident had before. Once it was clear the company’s CEO was a casualty of the breach fallout, it also gained the attention of chief executives and corporate boards. This concern was only heightened by the 2014 Sony breach that was extensive in both scope and embarrassment. The Sony incident redefined for many the types of data that can damage a company both directly and indirectly.

However, in 2014 it often seemed like cybersecurity breaches were still largely other people’s problems. It became clear in 2015 that breaches are everyone’s problems. The Anthem and Excellus breaches were a wake-up call to the healthcare industry and introduced consumers to the idea that their health data may be even more valuable to criminals than credit card information. The U.S. Office of Personnel Management (OPM) breach offered many lessons in what not to do in protecting against breaches and responding once they are discovered. It also helped many people realize that it is likely that everyone’s identity information is held by one or more foreign governments and criminal enterprises.


Beyond Records, Turning the Lights Out

December brought a different kind of wake-up call that few Americans have yet to absorb. Two Ukrainian power plants were taken down for several hours. To their credit, the power agencies worked quickly to manually bring electricity online. However, what if the outage had persisted? Losing electricity in the winter could mean no heat, no refrigerator, no communication. There is nothing more immediate and personal than interruption to your home life. Welcome to the next frontier of hacking. We knew it was there just around the corner. Now we have an example.


Implications of Big Breaches as the New Normal

2015 will mark the year that the “big breach” became a normal part of the news cycle. Consumers started to recognize the need to learn to live in a world where identity is compromised and companies need to operate with the understanding that information security is compromised. Psychology and common sense both suggest that you cannot deal with a problem until you recognize it exists. The cybersecurity problem became both personal and unavoidable in 2015. The question is how industry will react over 2016-17 to transition from a sense of helplessness to hopefully taking back control of their own fate.


Select Big Breaches by Month

Month Company Records Exposed
January Topface 20M
Feb Anthem 78.8M
March Premera 11M
April Ryanair Ltd $5M stolen
Rakuten 7.85M
May 10M
June OPM 32M
July Ashley Madison 37M
UCLA Health Systems 4.5M
August Carphone 2.4M
Oct Experian 15M
Sept Excellus BCBS 10M
Scottrade 4.6M
000webhost 13M
Nov Vtech 5M
Moneybookers & Neteller 8.1M
Dec Voter Database 191M
Steam 125M


The Monthly Numbers

Month # of Breaches Corp Govt Records Exposed Cost
Jan 8 8 0 25,985,000 $15,071,300
Feb 7 7 0 79,000,000 $45,820,000
March 9 9 0 11,000,000 $6,380,000
April 11 11 0 8,400,000 $4,872,000
May 8 6 2 14,200,000 $8,236,000
June 5 3 2 33,200,000 $19,256,000
July 5 5 0 43,000,000 $24,940,000
Aug 1 1 0 2,400,000 $1,392,000
Sept 5 5 0 10,261,000 $5,951,380
Oct 5 5 0 34,100,000 $19,778,000
Nov 5 4 1 13,100,000 $7,598,000
Dec 6 5 1 319,600,000 $185,368,000
75 69 (92%) 6 (8%) 594,246,000 $344,662,680

Note: Cost per breach uses the Verizon 2015 Data Breach Investigations Report average

Of course, this does not reflect all breaches. It only reflects the major breaches that were also publicly announced because customer personal information was exposed. Not every company is required to disclose breaches that don’t expose customer information.

The cost per breach is likely low as well. Verizon did some excellent analysis in its annual Data Breach Investigations Report, but they conclude that each situation is different even among companies with comparable numbers of records exposed. Because there is substantial variety in the breaches listed, we used Verizon’s average of $0.58. However, the estimate for Anthem is over $100 million. So it is plausible to conclude that these estimates could be much higher.


3 Most Significant Data Breaches

Our list of the most significant data breaches in 2015 doesn’t just consider records although that is a factor. The publicity and impact to the organization were also considered. Our top three list includes:

  1. Anthem BlueCross Blue Shield – The first large scale breach of personal medical histories and one that impacted nearly 80 million people. This was merely the first of several big hits to health insurers that included Excellus BlueCross BlueShield, Premera and UCLA Health System.
  2. Office of Personnel Management – A big story in terms of total records (32 million) and a realization of how much data the government stores on citizens. It also illuminated how government agencies can ignore admonitions from inspectors general and Congress without consequences. Well, sometimes there are consequences as the Director eventually lost her job. The incident also was the likely catalyst that led to this week’s announcement by President Obama that he was creating a new federal CISO post.
  3. Ashley Madison – This was particularly well covered because it exposed a fraud and included a salacious subject matter. However, it showed that any organization can be disrupted to the point where it could go out of business entirely and that Hacktavism can have serious consequences. Sentek Global suggests that 25% of breaches in 2014 were motivated by Hacktavism.

The Sentiment is Changing Quickly

Looking back, 2015 makes 2014 seem like the warm-up. There were still some people who may have thought 2014 was an aberration, but it is hard to believe that sentiment still lingers. The early targets ranging from financial services to government are already spending billions on information security. Expect that trend to take hold across all industries in 2016-17.

By Scott Raspa

Share Post
Scott Raspa

Raspa oversees all business development and marketing from strategy development to execution. He has 12 years of technology marketing and sales experience in high-growth analytics and security companies. Raspa earned a Bachelor of Science in information systems management from the University of Maryland University College.