The Hard Realities of a Cyber Event
CLOUD HACK
Company profile: construction company with offices nationwide
A national construction company used a third-party cloud service provider to store their customers’ personal information. The cloud provider suffered a major data breach, compromising the Personally Identifiable Information belonging to thousands of the construction company’s customers in several states. As the owner of the data, the construction company had a legal obligation to provide an adequate and timely notice. The Attorneys General in several states instigated a regulatory investigation against the Company to determine whether they responded appropriately to the breach in accordance with various state laws. As the construction company did not have a document retention procedure and stored far more data than was required, the Company was obligated to notify over 10,000 past and present customers that their company’s data had been compromised. In addition they had to pay defense costs associated with defending the regulatory investigation.
According to the NetDiligence® Data Breach Cost Calculator* the estimated costs for this event for the construction company could be:
$181,900
Estimated Incident Investigation Costs
$41,775
Estimated Customer Notification/Crisis Management Costs
$639,100
Estimated Defense & Settlement Costs
$862,775
Estimated Total Costs
An average event of this type could drive the average costs up to $1,860,000 for a business.
Risk Management Tips:
- Know where confidential information is stored, whether internally or with a vendor.
- Understand vendor’s network security controls and any contract language involving data liability.
- Have a document retention procedure in place to only store information that is necessary.
*The NetDiligence® Data Breach Cost Calculator and other tools are available to insureds on the Travelers’ eRisk Hub®. eRisk Hub is a registered trademark of NetDiligence.
ONLINE ORDERING SHUT DOWN
Company profile: a clothing and accessories manufacturer
A clothing and accessories manufacturer with an online ordering system that supports 50% of their revenue suffered a data breach. The FBI notified the company that a hacker they had arrested had the credit card numbers of 500,000 of the company’s customers in his possession. After hiring a forensic investigator it was determined that the cybercriminal had compromised the online shopping carts over a 6 month period of time. The hacker was able to steal names, addresses, credit card numbers, expiration dates, card security codes and email addresses.
The Payment Card Industry Agreement required the manufacturer to hire a certified forensic investigator to examine the Company’s systems and related infrastructure. The Company incurred significant costs as they had to notify the affected customers as required by state law and they offered one year of free credit monitoring. The Company hired a public relations firm to maintain customer confidence and limit reputational damage. The Company was also subject to regulatory fines and penalties.
According to the NetDiligence® Data Breach Cost Calculator* the estimated costs for the manufacturer could be:
$315,400
Estimated Incident Investigation Costs
$1,021,900
Estimated Legal Fees and Settlement Costs
$1,927,000
Estimated Customer Notification/Crisis Management Costs
$10,797,600
Estimated Total Costs
An average event of this type could costs up to $2,426,000 for a business.
Risk Management Tips:
- Maintain and frequently review compliance obligations under the Payment Card Industry (PCI) Agreement.
- Consider implementing end-to-end encryption of credit card transactions.
- Employ a chief information security officer (CISO) to develop and implement your business-wide data privacy procedures.
*The NetDiligence® Data Breach Cost Calculator and other tools are available to insureds on the Travelers’ eRisk Hub®. eRisk Hub is a registered trademark of NetDiligence.
PHISHING EMAIL
Company profile: medical group
An employee of a medical group opened a phishing e-mail that infiltrated their centralized network. Anti-virus software failed to keep out the malicious code, exposing names, addresses, dates-of-birth, medical record numbers, medication, dates of service and diagnoses of 1200 patients. A computer forensics investigator was hired, who determined that PHI (protected health information) had been compromised. The medical group notified the affected individuals and hired a public relations firm in anticipation of bad publicity. Thereafter, The Office for Civil Rights launched an investigation and the medical group was fined as a result of a HIPAA violation for having unsecured access to the network.
According to the NetDiligence® Data Breach Cost Calculator* the estimated costs for this event for the medical group could be:
$180,000
Estimated Incident Investigation Costs
$46,000
Estimated Customer Notification/Crisis Management Costs
$364,000
Estimated Fines & Penalties
$590,000
Estimated Total Costs
Risk Management Tips:
- Specific phishing training program could be implemented to educated employees to recognize a suspicious email.
- Conduct more frequent vulnerability assessments and penetration testing.
- Create, implement and test an incident response plan.
*The NetDiligence® Data Breach Cost Calculator and other tools are available to insureds on the Travelers’ eRisk Hub®. eRisk Hub is a registered trademark of NetDiligence.
WEBSITE VULNERABILITY
Company profile: national nonprofit food bank
A metropolitan food bank service experienced a cybersecurity breach that resulted in the inadvertent disclosure of more than 10,000 donors’ personal information. Due to malware on their website server the unauthorized individual was able to gain access to donor information over a three year period. The personal information included names, addresses, emails, credit and debit card numbers, security codes and expiration dates.
Computer forensic experts were retained to assist with the investigation. Corrective measures were taken including changing all passwords, implementing additional monitoring and reviewing the food bank’s policies and procedures to ensure that all information was appropriately protected moving forward. In addition, due to the various state laws that had been implicated, the food bank was required to notify all affected donors and provide identity protection and credit monitoring for a one year period.
According to the NetDiligence® Data Breach Cost Calculator* the estimated costs for this event for the food bank could be:
$197,350
Estimated Investigation & Notification Costs
$117,050
Estimated Fines & Penalties
$543,000
Estimated Legal Defense & Settlement Costs
$857,400
Estimated Total Costs
An average event of this type could drive the average costs up to $1,728,000 for a business.
Risk Management Tips:
- Encrypt data at rest on network server.
- Implement more frequent vulnerability assessments and penetration tests.
- Create, implement and test an incident response plan.
*The NetDiligence® Data Breach Cost Calculator and other tools are available to insureds on the Travelers’ eRisk Hub®. eRisk Hub is a registered trademark of NetDiligence.
Related Products & Solutions
Cyber Insurance
Cyber liability insurance is an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cybersecurity issues.
Prepare & Prevent
Cybersecurity Resources
What Is the Ransomware Landscape?
Ransomware continues to be one of the top malware threats, targeting users of all types. View this infographic to learn more.
Cybersecurity Resources
What Is a Cyber Breach Coach and How Do I Get One?
As cyber breaches become increasingly complex, a new role has emerged to help organizations navigate their response and recovery.
Cybersecurity Resources
5 Cyber Readiness Practices to Boost Your Cybersecurity
Cyber risk is a top concern across all businesses. Improve your defense and explore five cyber safety best practices to help boost your company's security.