What Is a Data Breach and How to Mitigate Its Effects

TL;DR

‍

• A data breach is a specific type of cyber incident that involves unauthorized access to sensitive information, in contrast to other cyber attacks, such as business interruptions, that don't necessarily compromise internal assets. 
• Complete prevention of a data breach is unrealistic in today's landscape, necessitating instead proactive planning and resilience-building strategies that mitigate the potential damages. 
• High-profile data breaches, such as those at Yahoo, MOVEit, and Change Healthcare, have had massive financial, operational, and societal impacts, further underscoring the need for robust, proactive mitigation measures. 
• Cyber risk quantification (CRQ) assessments are the first step toward building data breach resilience, highlighting the likelihood and financial repercussions, and providing organizations with actionable data to align risks with their risk appetite and inform decision-making. 
• Additionally, with CRQ insights, chief information security officers (CISOs) can identify and prioritize the most effective security control upgrades and system updates to reduce breach impact cost-effectively. 
• Aligning breach costs with risk appetite lays the groundwork for more confident incident response (IR) planning, enabling teams to practice how to contain and recover from breaches with minimal disruption. 
• Considering the inevitability of a data breach, organizations must invest in proactive mitigation measures to optimize resource allocation and significantly reduce the costs they may incur. 

‍

What Is a Data Breach?

‍

All data breaches are considered cyber attacks, but not all cyber attacks are breaches. A data breach is a unique type of cyber incident that specifically involves unauthorized access to sensitive and confidential information pertaining to customer data, corporate data, or both.  DDoS attacks and business outages, for instance, are not categorized as breaches because an external actor has not compromised internal assets. 

‍

While organizations, depending on their specific technological profile and firmographics, face a unique level of exposure to these types of malicious events, every player in the market is vulnerable. Avoiding a data breach is virtually impossible in this day and age, and it can end up being extremely costly if appropriate measures are not established beforehand. When it comes to a data breach, the best strategy that chief information security officers (CISOs) can take is proactive preparation and resilience building.

The Largest Data Breaches in the 21st Century

‍

In 2017, IBM Security and the Ponemon Institute found that the likelihood of an organization experiencing a data breach fell around 25%, and since then, this likelihood has steadily increased. In fact, data breaches have become so common that the mainstream media does not report most of them. Nevertheless, a few that have occurred in the past 20 years have been so massive that they have sent ripple effects across the entire marketplace. 

‍

1. Change Healthcare Data Breach

‍

In February 2024, healthcare revenue and payment cycle management company Change Healthcare detected malicious activity within its systems and, subsequently, disconnected its networks and took operations offline. This move led to monumental disruptions across the sector, with hospitals, health systems, and pharmacies unable to perform critical operations. Moreover, by the time the incident had been unearthed, nearly six terabytes of data pertaining to over 100 million individuals had already been compromised.

‍

As of October 2024, numerous lawsuits have been filed against the organization, and the cost of the incident reached $2.9 billion, in addition to the $9 billion shelled out in advanced payments to healthcare providers. The breach highlighted not only the devastating financial consequences of inadequate cybersecurity measures and incident response plans but also the incredible amount of societal consequences that can potentially ensue due to cyber risks. 

‍

2. MOVEit Data Breach

‍

File transfer program MOVEit was breached in May 2023 by CL0P, a notorious ransomware attack group. The group exploited vulnerability CVE-2023-34362, injecting several SQL commands into the program and thereby accessing the databases of thousands of MOVEit customers, including multiple governments, financial institutions, and other private corporations such as the Louisiana Office of Motor Vehicles, Ernst and Young, Deutsche Bank, and British Airways. Nearly 80% of the victims were US-based.

‍

As of June 2024, roughly 2,700 organizations in total were reported to have been affected, along with 96 million individuals. The cost of the breach has reached upwards of $12 billion, and hundreds of those affected are still suffering the consequences. The MOVEit breach served as a wake-up call for many about the cyber risk that accompanies working with third-party service providers and how a single exploited vulnerability can cascade into widespread, global damage. 

‍

3. Yahoo Data Breach

‍

Considered the largest data breach in history, the Yahoo cyber attack of 2013 saw the compromization of all 3 billion user accounts. Although the company did not officially announce the incident until 2016, officials reportedly knew about it as early as 2014. Digital thieves, who were later revealed to be Russia-backed state hackers, exfiltrated data such as names, phone numbers, passwords, backup email addresses, and more.

‍

Nearly two dozen class action lawsuits were filed in the wake of the attack's announcement. Additionally, the company, which was set to be acquired by Verizon Communications for $5 billion, lost $350 million in the final deal due to its lack of transparency. Primarily due to incidents such as these, the US SEC now requires corporations to disclose material cyber events within four days of their determination, ensuring all stakeholders and investors have access to the relevant information to make informed decisions. 

‍

4. Facebook Data Breach

‍

With over 3.07 billion global users, Facebook is an extremely attractive target for malicious cyber actors, and it has experienced multiple data breaches over the years. Of these events, one of the most significant ones occurred in 2019, when a vulnerability in a now-disabled feature was exploited, compromising the data of 530 million individuals. 

‍

According to security experts, the data leaked, although it did not include financial, health, or password information, left the users extremely vulnerable. The issue was patched in August of that year, but before the updates had been made, Facebook was compelled to pay $5 billion in a settlement with the US FTC for violating a user privacy agreement. In the end, Facebook decided not to notify those individuals whose personal information had been compromised, claiming that it was not completely sure of the specific users it would have to contact. 

‍

5. National Public Data Breach

‍

In August 2024, three lawsuits were filed against Jerico Pictures, Inc., which does business as National Public Data, in response to a large-scale data breach that took place four months earlier. Approximately 2.7 billion data records were leaked in the breach, including millions of US Social Security numbers, and were posted for free public download.

‍

Other personally identifiable information (PII) that was leaked in the data breach includes:

‍

• First, last, and alternative names
• Dates of birth
• 420 million home addresses, both old and new
• More than 161 phone numbers

‍

As of October 24, Jerico Pictures has filed for bankruptcy and claims that it still does not know the exact number of individuals affected, believing, however, that it could add up to "hundreds of millions," making this one of the largest data breaches on record.

‍

How to Mitigate Data Breach Damages

‍

In the early days, cybersecurity leaders were primarily concerned with securing the perimeter, focusing on firewalls, antivirus software, and network defenses to prevent unauthorized access to internal systems. However, given the rapid increase in data breaches worldwide, coupled with their rising costs, it’s now more widely accepted that resilience is the more strategic objective, emphasizing the need to mitigate potential impacts proactively. 

‍

Step 1: Conduct a Cybersecurity Assessment

‍

Before pursuing any initiative, CISOs must first conduct an in-depth cybersecurity assessment to illuminate their organization's current exposure to data breaches. While there is a wide variety of assessments whose insights can lay the foundation for a robust plan, when it comes to developing cost mitigation strategies, the most useful to leverage is a quantitative one.

‍

On-demand cyber risk quantification (CRQ) evaluations are particularly valuable as they can take into account a company's unique cyber risk profile, along with the specific external risk factors it faces, and, capitalizing on globally-sourced objective data, determine its average likelihood of experiencing a data breach coupled with the respective consequences. 

‍

For instance, in Figure 1, Kovrr's on-demand CRQ models calculated that Cloud Software Inc. has a 7.66% likelihood of experiencing a data breach in the upcoming year. Moreover, should they suffer from such an event, they are, on average, likely to lose $1.27 million. Now, with this information, the CISO and other key stakeholders can determine if they even need to pursue mitigation measures in the first place to align this exposure more closely with risk appetite levels or if the amount can be absorbed.

Step 2: Prioritize Cyber Risk Mitigation Efforts

‍

If losses due to a cyber breach, which can also be quantified in terms of potential outage hours and the number of data records compromised, exceed an organization's risk appetite levels, the next step is to prioritize the potential mitigation efforts that can be taken. Indeed, not all initiatives will have the same effect on exposure, so, typically, CISOs will want to escalate those initiatives that either will have the biggest impact, yield a positive ROI, or both. 

‍

On-demand cyber risk quantification solutions are similarly helpful in this regard, offering a detailed breakdown of the cybersecurity control upgrades that are going to prove most effective in reducing the costs of a data breach. According to Figure 2, for example, Cloud Software Inc., which adheres to the NIST CSF, would see the greatest monetary reduction in data breach exposure, up to nearly $700 thousand, if they upgraded their Identity Management control.

‍

Harnessing on-demand CRQ, organizations can also simulate various ‘What-If’ scenarios, such as network isolation, and test the level of impact these adjustments would have on data breach exposure levels. Cyber risk quantification gives CISOs the means to explore the various options available to them and determine which will have the most significant impact, allowing for more strategic prioritization of initiatives.  

‍

Step 3: Implement Cybersecurity Upgrades

‍

While minimization of financial exposure is merely one component that CISOs must consider in their overall cybersecurity strategies, it is nevertheless a crucial aspect, helping to ensure the organization can remain resilient in the wake of a cyber breach. Once the rest of the factors, such as return on investment (ROI) and alignment with overall business objectives, have been taken into account, it's time for the team to implement the relevant security control upgrades and system updates.

‍

This more tactical part of the process is typically carried out by the cybersecurity team rather than the CISO and can involve anything from deploying advanced threat detection tools and patching vulnerabilities to configuring firewalls, updating access control protocols, and conducting regular penetration tests to ensure the effectiveness of previously implemented measures. 

‍

Step 4: Implement Upgrades and Reasses Cybersecurity Posture

‍

After the latest upgrades have been implemented and maturity levels are verified to have been raised, the final step in the process is to reassess the organization's cybersecurity posture to measure the effectiveness of the changes. 

‍

A follow-up on-demand CRQ analysis should be run, offering these updated insights into both the company's likelihood of experiencing a data breach and the financial exposure associated with such events. By comparing the pre and post-upgrade assessments, executives can verify that their investments have reduced data breach exposure levels.

‍

From Cost Alignment to IR Preparedness

‍

Reducing the average expected cost of a data breach to a level that more closely aligns with the organization's cyber risk appetite is a critical step toward achieving resilience. Because, after the necessary actions have been executed, breach costs will have fallen below such acceptable thresholds, businesses can be confident that they can absorb the potential losses they inevitably face without jeopardizing operations to a material extent.

‍

Such alignment likewise allows stakeholders to allocate resources more effectively and balance proactive risk mitigation efforts with other strategic priorities, such as incident response (IR) planning. Indeed, IR preparedness would be the next step toward building resilience, as teams will need to practice how they would handle, contain, and recover from a breach to minimize disruption and financial impact. 

‍

Aligning exposure levels with risk appetite lays the groundwork for effective IR preparedness, ensuring organizations can confidently weather cyber incidents and swiftly recover with minimal disruption. This dual focus on proactive cost management and strategic response planning strengthens operational resilience and reinforces stakeholder confidence in the aftermath of a breach.

‍

Building Resilience With Proactive Data Breach Mitigation Strategies

‍

Data breaches are plainly one of the most damaging types of cyber events, not only financially but also operationally and reputationally. Unfortunately, in today's threat landscape, with new risks emerging daily, and AI poised to become more sophisticated than ever, complete prevention is an unrealistic goal. Organizations, instead, must accept that a breach is not a matter of if but when, and the best response to this reality is proactive planning. 

‍

Conducting a cyber risk quantification assessment provides the invaluable insights necessary for this strategic approach to data breach resilience, revealing the likelihood of experiencing a breach and the respective financial losses that will ensue, among other information. Armed with these quantitative details, CISOs can strategically lower their exposure to align with their risk appetite, ensuring they are prepared to handle the consequences without sacrificing critical operations. 

‍

In the face of cyber uncertainty, proactive mitigation is the key to market success. 

‍

Mitigate Data Breach Exposure With Kovrr’s CRQ Insights

‍

Leveraging objective, on-demand, quantified insights is the first step toward building a resilient organization. To learn more about how Kovrr's cyber risk quantification solution fuels this resilience in the wake of a data breach, schedule a free platform demo today. 

‍