2014 might be remembered as the year of compromise. According to data publishing platform Silk, nearly 290.5 million records were compromised in the top 11 breaches of all time. With a record 783 breaches last year, according to the Identity Theft Resource Center and Identity Theft 911, breach totals are 27.5 percent higher than in 2013.
While cumulative losses are a moving target thanks to long-tail exposure, the average cost is rising. According to global investigations firm Kroll, the average cost of a data breach hit $5.9 million in 2014, up 9 percent from the previous year. Worse, few of the culprits are ever caught. Some of the worst losses, in fact, have yet to be quantified, and may not be given the ways in which stolen data has been spread globally.
Data breaches are expected to reach $2.1 trillion globally by 2019, according to a Juniper Research study. That number is four times the estimated cost of 2015 expected breach losses. Yet the full scope data breach losses may never be known. Many breaches affect records and may not show financial impact for years.
To date, the costliest data breaches are:
10. The Home Depot – up to $56 million
A cyberattack in September 2014 on the big box retailer resulted in 56 million credit and debit card records being compromised. Malware launched on the company’s systems remained there for five months before being detected and removed. So far, the company has paid out $33 million in reparations, and that number is expected to reach $56 million.
9. Sony Pictures Entertainment - $100 million
In late 2014, Sony’s entertainment subsidiary was hit with a hacking attack in which hackers, calling themselves Guardians of Peace, claimed to have stolen 100 terabytes of data from Sony’s system. The group then launched a malware program on Sony’s computers to erase the company’s data. The estimated cost of recovery: $100 million.
8. Anthem - $100 million+
In February 2015, health insurer Anthem underwent a cyberattack that revealed the personal information of nearly 80 million people. The amount of information stolen, including names, addresses, and Social Security numbers, leaves Anthem’s customers and former customers open to potential identity theft. Current estimates on the breach costs are expected to surpass $100 million.
(Photo: The rare NYC Home Depot)
7. Heartland Payment Systems – $140 million
The credit card processing company announced in early 2009 that over 130 million credit and debit card records were exposed when the company’s systems were compromised by malware in 2008. In what was, until recently, the costliest breach in history, Heartland paid over $140 million in costs, fines and penalties.
6. TJ Maxx – $162 million
In March 2007, retailer TJ Maxx was hit by a massive security breach that affected 100 million credit and debit card records. The thief, who attacked Heartland’s systems a year later, stole numbers over an 18-month period, causing an estimated $118 million in damages to the department store chain. As late as March 2015, company officials were estimating the breach costs at $162 million. Albert Gonzalez, an American who worked as a paid undercover informant for the Secret Service, was sentenced to 20 years in prison for his part in this and other cyberattacks.
5. Target - $162 million
In November 2013, hackers accessed the credit and debit card information of nearly 110 million Target customers. Commencing just before Thanksgiving and continuing through Black Friday and beyond, hackers tapped in to the retailer’s third party point-of-sale payment card readers. The cost of the compromise is an estimated $162 million.
(Photo: U.S. Attorney Paul Fishman talks about the arrest of four Russian nationals and a Ukrainian, who have been charged with running a sophisticated hacking organization that over seven years penetrated computer networks of more than a dozen major American and international corporations, during a news conference, Thursday, July 25, 2013, in Newark, N.J. The group, according to Fishman, is connected with stealing and selling at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars. Princeton-based Heartland Payment Systems Inc., which processes credit and debit cards for small to mid-sized businesses, was identified as taking the biggest hit in a scheme starting in 2007 — the theft of more than 130 million card numbers at a loss of about $200 million. AP Photo/Julio Cortez)
4. Sony PlayStation - $171 million
Before the Guardians of Peace set its sights on Sony, hackers made off with over 100 million customer records via the company’s PlayStation gaming device. The intrusion in 2011 halted operation of the PlayStation Network and resulted in Sony’s largest loss to data breach.
3. Hannaford Bros - $252 million
Maine-based grocery chain Hannaford had over 4.2 million credit and debit card numbers compromised in a 2007 cyberattack. Attackers installed malware on the store’s servers, affecting all 300 stores plus independent stores that sell the Hannaford products. The estimated costs tally $252 million.
2. Veterans Administration – up to $500 million
In 2006, an unencrypted database containing the records of 26.5 million veterans, active-duty military personnel and their families was breached. The database, housed on a laptop and an external hard drive, were stolen from an employee’s home. While the items were returned by an unknown person, the VA estimated costs would run anywhere from $100 million to $500 million for related costs from the theft.
1. Epsilon - $100 million-$4 billion
In 2011, marketing firm Epsilon was hit by hackers, who grabbed names and email addresses from the company’s marketing division. The theft affected up to 75 client companies, including Best Buy, TiVo, JPMorgan Chase, Capital One, Citi, and Target. In a worst-case scenario, analysts are predicting the costs of the breach could reach $4 billion.
(Photo: Veteran's Administration hospital, in Dayton, Ohio. AP Photo/Al Behrman)