Data loss is expensive. IBM research from 2022 found that, on average, global data breach costs totaled $4.35 million. But the prices inherent with data loss aren’t purely financial: legal, operational, and reputational impacts, although often overlooked, can be far more costly in the long run.
While research like that mentioned above provides us with a general idea of data breach costs, the impacts of a data breach can last years, making it incredibly difficult to ascertain the actual cost of data loss. In this article, we’ll look at two examples of data breaches and their impacts to understand better their actual cost to modern organizations.
Yahoo – 2013/14
Ten years ago, Yahoo suffered the most significant data breach ever. Staggeringly, it remains as such to this day. Even as cyberattacks have grown steadily in frequency and severity, the Yahoo breach has bucked the trend, stubbornly clinging to the top spot. But that isn’t the only reason the Yahoo breach is so notable: it is essentially a masterclass in how not to handle a data breach. Let’s look at why.
Yahoo suffered a data breach at the hands of an unknown attacker in August 2013. In a string of events that seem bizarre by today’s standards, the company didn’t report the incident until December 2016, claiming the breach impacted over 1 billion user accounts, before updating the report just under a year later to confirm that all 3 billion user accounts had been affected.
To make matters worse, Yahoo suffered a separate data breach in late 2014, failing to report it until September 2016. In a later report, the company revealed that, in this case, attackers had likely used manufactured web cookies to compromise login credentials and gain access to up to 500 million user accounts.
Things only got worse from there. At the time of the announcements, Verizon was purchasing a portion of Yahoo’s properties. Yahoo only notified Verizon of the breach two days before the September announcement. While the sale did go ahead, the sale price plummeted by $350 million, falling from $4.83 billion to $4.48 billion.
But it didn’t end there. Two months after Yahoo announced the 2014 data breach, the company had been hit with 23 class-action lawsuits. After much deliberation, five of those lawsuits were consolidated into a single case, which resulted in Yahoo offering 200 million users credit monitoring services for two years and settling for $117.5 million. Immediately following the announcement of the 2013 attack, a New York consumer filed a lawsuit on behalf of all affected United States users. Yahoo settled this additional lawsuit for $29 million in 2019.
But that’s not all. Yahoo’s reputational damages from this breach and its subsequent mishandling are incalculable. The Yahoo brand has never recovered. At the time of the first announcement, Yahoo was still a significant player in the online space. Today aside from a few services like Yahoo Mail, the Yahoo brand has largely been resigned to the annals of history. While the Verizon acquisition undoubtedly played a role in Yahoo’s fall from grace, one can’t help but wonder where the brand would be today if it had handled these two data breaches better.
River City Media 2017
In 2017, River City Media was one of the largest spam-slinging organizations in the world, allegedly sending over 1 billion emails a day. In 2023, it no longer exists. You can probably guess why.
In March 2017, a security analyst, Chris Vickery, happened upon an enormous trove of unprotected data. That data turned out to be a backup repository of over 1.37 billion contact details amassed by River City Media. Unfortunately for the “digital marketing” business, someone had forgotten to put a password on the backup.
This case is decidedly less complicated than Yahoo’s. Security experts and the popular press all but crucified River City Media, and, despite their defending themselves, River City Media’s reputation never recovered, and they quickly went bust.
These two cases are a striking example of how bad a data breach can be. Financial damages are only the beginning; reputational and legal consequences bring organizations down. River City Media never even faced economic consequences; the reputational damage alone was enough to shut the business down.
Considering past events, organizations must take data protection seriously. There’s much talk of inevitable data breaches, but that doesn’t mean businesses can rest on their laurels and wait to be attacked. Organizations should consider, among other things, implementing a data loss prevention (DLP) solution, which would seriously reduce the risk of a breach. The lesson is that a data breach is not merely a nuisance but an existential threat.
