Data Breach Case Studies
Two cases that provide information about significant financial or business losses due to data breaches were found. In the first case study, details are provided of how information for around 500 million guests was compromised in Marriott International and how it led to costs of $28 million and a significant decrease to the number of calls to their call centers. The second case study describes how a data breach in another large organization led to costs of almost $1.4 billion, investigations and dozens lawsuits.
MARRIOTT STARWOOD DATABASE BREACH
- Marriott International operates all over the world and it has over 6,700 properties in 129 countries.
- There was an attempt to access their Starwood database in the United States on September 8, 2018. After they received an alert from a security tool, they hired security experts to investigate. They quickly found out that the Starwood network was compromised since 2014.
- An unauthorized party copied and also encrypted information. Marriott managed to figure out that the information was from the "Starwood guest reservation database" on November 19, 2018. They also found that data for around 500 million guests who reserved a room at Starwood was compromised. Information for roughly 327 million of guests contains a combination of name, email address and for some it includes payment card numbers and their expiration dates.
- Marriott reported that the data breach cost was $28 million so far in their last quarter of 2018 earnings report. Their CEO said that their customer loyalty wasn't affected, but the number of calls to their call centers dropped from around 40,000 in December to approximately 3,000 in February.
- After the news about the breach were made public on November 30, several customers and investors filed lawsuits against Marriott. This indicates that the breach could cost them a lot more.
- Other information that Marriott revealed during the investigation said that the actual number of customers affected was 383 million and also that 25 million passport numbers may have been stolen.
- There are articles that indicate that the Marriott data breach could have been prevented by applying a software update while other say that companies should apply a holistic approach "data-first security approach" and also use tools and vendors with a "holistic approach".
- Marriott's CEO revealed that their highest priority will be to use tokenization and encryption tools to protect their data.
EQUIFAX DATA BREACH
- Equifax is a global information company that helps companies to make better business decisions and has operations in 24 countries Europe, the Asia Pacific region and the Americas.
- Equifax announced in September 2017 that around 143 million US consumers were potentially affected by a cybersecurity incident that occurred from May to July 2017 and they hired a leading cybersecurity firm to investigate the data breach.
- The information that was compromised mainly included names, address, social security numbers and other information. During their investigation they also discovered that credit card numbers for around 209,000 consumers in the United States were also exposed as well as some personal information for residents in the UK and Canada.
- The most recent report indicates that Equifax has spent almost $1.4 billion on costs regarding the 2017 data breach.
- Equifax data breach exposed information for a lot of people in United States, United Kingdom and Canada but it also led to dozens of lawsuits and investigations by public officials and therefore the costs could might be even bigger.
- Government Accountability Office reported that the breach could have been prevented if Equifax paid more attention to detection, identification, segmentation and data governance. Senate reported that the breach was "inadequate and hampered by Equifax's neglect of cybersecurity".
- Equifax credit bureau made an elementary mistake by not patching a vulnerability in Apache Struts on time.
- There are ways for companies to prevent data breaches simple as regularly patching their applications and also other approaches that involve upgrading Apache Struts which require an analysis and may not be so easy to implement.
First, our research team looked for case studies that mention data breaches in large companies and their costs in different industry reports including Verizon, IBM, Avast, Radware and other cybersecurity publications. These sources provided us with data about the total global cost of data breaches and how much do they cost companies, but there was no information about financial losses due to data breaches in any large companies.
After that, we scanned various news articles and publications such as Business Insider, Digital Guardian, Wired, ZDNet, Tech Republic and others, where we hoped to find if any enterprise companies experienced significant financial or business loss due to data breach. This approach provided us with a number companies that had great losses due to data breaches but were older than two years, including Yahoo, Epsilon and Exactis and some more recent ones such as Aadhar that only mentioned the number of users affected. There was only one large company found that experienced significant financial losses in the last year. We assume there are still no reports on costs for some companies because the cyber incidents happened recently and also some of them maybe don't want to publicly disclose this information.
Since, there was only one company that meets the criteria, we expanded our scope to include enterprise data breaches in the last two years. We managed to find only one company that met our criteria but was slightly out of the two-year scope. Since it had a huge financial loss as a result of the data breach, we decided to include it in our findings.