In today's Finshots, we talk about data breaches and how they affect people and businesses alike.
BigBasket, Unacademy, Justdial, SBI, Haldiram’s — All these companies have one thing in common. They’ve had to deal with data breaches in the recent past. But for some reason, we don’t seem to care a lot about these things. Yes, they’ll make the headlines for a few days. But then they fade into the background and we stop talking about it altogether. Sometimes we don’t even acknowledge them. For instance, when TechCrunch reported that SBI had failed to protect sensitive information of its customers (including photos of information procured through the compromised servers), SBI simply denied there was any breach in the first place.
So in this article, we thought we could look at a few case studies and expose the true cost of a data breach.
Let’s start with something simple — a data breach that involves passwords. Happened to LinkedIn back in 2012. At first, it seemed like the damage was going to be limited — considering the passwords were hashed. It's sort of like saying— “Well they have the passwords, but it's coded. So unless they can figure out ways to decipher the code, there isn’t a lot hackers can do.” But then some of these people actually figured out ways to crack the code and the real passwords were exposed. LinkedIn, in the meantime, managed to get affected users to change their passwords almost immediately. However, since some people have this nasty habit of using a single password on almost all of their social media handles, hackers figured out they could try their luck elsewhere and some actually hit pay dirt.
The only consolation — LinkedIn managed to detect the breach quickly and their response was fairly robust. It’s something to cheer about because it could have been a lot worse. If attackers are afforded an opportunity to spend a lot of time inside a compromised environment, they could meticulously sift through data and gain access to extremely sensitive information. In fact, according to a report in IBM, companies able to detect and contain a breach in under 200 days spent on average $1.1 million less than those that didn’t. India’s average response time — the time from detection to the containment of breach was actually 313 days. That’s not exactly a good look for us because data breaches can cost everyone a whole lot of money.
There is a loss to customers. There is the intangible reputational loss. There is the added legal fees, the administration fee and the clean-up fee that might also include PR management. Companies might also have to contend with customer defection and added security measures. All in all, it’s an absolute nightmare.
But then, it gets worse.
Consider Equifax (a credit monitoring firm like CIBIL in India).
“Equifax disclosed a massive breach at the beginning of September, which exposed personal information for 147.9 million people. The data included birth dates, addresses, some driver’s license numbers, about 209,000 credit card numbers, and Social Security numbers — meaning that almost half the US population potentially had their crucial secret identifier exposed. Because the information stolen from Equifax was so sensitive, it’s widely considered the worst corporate data breach ever.”— Excerpts from an article in the Wired.
Anyway, the point is, outside of suffering a massive reputational crisis, the company was also fined $575 million by US regulators for failing to secure clients’ data.
In addition to these material costs, publicly listed companies also have to worry about market participants. Take, for example, Twitter. A few months back, hackers compromised accounts of some of the most powerful people in the world including the likes of Elon Musk, Barack Obama, Joe Biden, Bill Gates, and Jeff Bezos. After the hack, Twitter’s share prices fell by 5%. That’s ~$300 million wiped out in a single day.
The point is, one of these days, we will have an episode like this. So when that day comes, how prepared will we be?
That is quite literally, the million-dollar question.
Let us know your thoughts on Twitter.
Correction: In the previous version of this article we mentioned CRISIL instead of CIBIL. The error is regretted.