make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

4 of the Most Expensive Cyber Attacks of 2017 (and How They Could Have Been Prevented)

10/19/2017  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

October is Cyber Security Awareness Month. To celebrate, we’re going to look into some of the biggest trends impacting the IT security industry and highlight some important action steps your organization can take to stay ahead of the hackers.

But before we look at the future of cybersecurity, we wanted to take a look back at some of the largest (and most expensive) data breaches of the year.

4 of the Most Expensive Cyber Attacks of 2017 (and How They Could Have Been Prevented)

Here are four of the most expensive cyber attacks of 2017:

1. Equifax 

Estimated Cost: Up to $4 Billion

Last month’s Equifax data breach quickly moved up the ranks as one of the worst cyber security attacks in history after the personal information (including Social Security Numbers, birth dates, addresses, and in some cases drivers' license numbers) of 143 million consumers was exposed. While it will take a little while for the dust to settle, the initial impact is brutal. Equifax has lost $4 billion in stock market value since the credit bureau revealed that it was hacked.

How It Could Have Been Prevented:

While Equifax appears to have a robust cybersecurity program in place, it is evident that accidents happen. The massive data breach could have possibly been avoided if Equifax had put additional security measures in place. Independent vulnerability validation process, a proactive approach to cybersecurity, and a layered, defense-in-depth strategy are just a few ways the Equifax breach could have been avoided.

2. WannaCry

Estimated Cost: Up to $4 Billion

Until Equifax, WannaCry held the title as the most unprecedented cyber attack of the year because of the incredibly broad impact and how fast the attack spread. Once WannaCry was activated to unleash devastation, it quickly spread to reportedly more than 100 countries in less than 24 hours. And while the Ransomware attackers only received over $140,000 in bitcoin from the operation, a report by CBS News said that the losses due to the ransomware attack were estimated to reach around $4 billion!

How It Could Have Been Prevented:

What made the WannaCry ransomware particularly upsetting was the fact that ransomware attackers attached through a vulnerability that Microsoft had discovered and issued a security patch for a couple of months early. Hackers were counting on organizations being slow to apply the security patches. Protecting your company against malware attacks requires you to consistently and proactively protect yourself. Our team at LBMC has developed a comprehensive checklist to protect your organization from ransomware attacks that you can use to build defenses against most malware, not just WannaCry. ​

3. Petya/NotPetya

Estimated Cost: $300 Million (for both Maersk & FedEx)

Not long after WannaCry, another ransomware attack made headline news because of its global impact. While the Petya/NotPetya didn't affect nearly as many organizations as WannaCry, the destructive force it had on the organizations that were affected was catastrophic. Most of the victims were in Russia and Ukraine. However, major companies in the West also suffered from the attack, including FedEx and shipping giant Maersk, both of which estimate $300M in lost earnings. ​

How It Could Have Been Prevented:

Similarly to WannaCry, Petya/NotPetya encrypted user's data and asked for a ransom in exchange for restoring your documents. And like WannaCry, Maersk and FedEx could have avoided being affected by applying the Microsoft security updates and patching software.

4. Washington State University

Estimated Cost: $630,000+ fines

For the seventh year in a row, healthcare distinguished itself as the most expensive industry for data breaches. Washington State University was one of the latest victims after a hard drive containing the personal data of about 1 million people was stolen in April. While the HIPAA fines have not been issued by the Office of Civil Rights, the company has already experienced significant hard costs from the breach, including the deductible for their cybersecurity insurance and mailing costs to notify patients affected.​

How It Could Have Been Prevented:

Unlike the other cyber attacks on our list, Washington State University's attack happened because their physical hard drive was stolen. An important reminder that your cybersecurity program should include a plan for protecting your facilities and other places where patient data (including backup data) is stored. It’s also noteworthy that simply having proper encryption technology in place would have made this a non-story. Having the proper security systems in place is not only important for your patients' physical safety, but also for the safety of sensitive data.

We Don’t Want to See You on Next Year’s List….

This epidemic of hacking does not show any signs of stopping anytime soon. The more interconnected our world becomes, the higher the risk for security breaches. But by having the proper risk management processes in place, companies can work to avoid the incredibly expensive costs of a data breach.​

Click here to learn more about how LBMC can help you ensure your organization has the proper safeguards in place through our comprehensive compliance and audit services.