The cost of the Optus data breach being estimated. The bill will be large. IBM estimates that the average cost of remedying a data breach involving 1 – 10 million records is USD 49 million
September 26, 2022 |
Over the many years I have written about privacy and cyber security (as well as commercial and defamation law) I have never cease to be amazed how organisations blithely accept the risk of a data breach through poor privacy and cyber security practices given the jaw dropping costs of remediation after such a breach. Bringing in a range of experts to assess the damage, locate the cause of the breach, work with the regulators and then deal with litigation by those regulators or disgruntled customers can run up a cost of hundreds of thousands of dollars and often millions.
IBM’s Cost of a Data Breach Report for 2022 highlights the poor state of readiness of many companies with:
- 83% of organisations having had more than one data breach
- 60% of organisations breaches leading to an increase in prices passed on to customers
- 79% of critical infrastructure organisations did not deploy a zero trust architecture
- 11% of breaches were ransomware attacks with an average cost of USD 4.62million
- When remote working was a factor in causing the breach, costs were an average of nearly USD 1 million greater than in breaches where remote working wasn’t a factor, USD 4.99 million versus
USD 4.02 million. - Businesses with an Incidence Rresponse plan and team that tested its IR plan saw an average of USD 2.66 million lower breach costs than organizations without a plan or team. That represents a 58% cost savings.
- healthcare industry had the highest average cost of a breach
- the average cost of a data breach in Australia is $2.92 million in 2022, up slightly from $2.82 million in 2021.
- the average time to identify and contain a data breach was 277 days, being 207 days to identify the breach and 70 days to contain the breach, in 2022.
- the most common initial attack vector in 2022 was stolen or compromised credentials, at an average cost of USD 4.50 million.
- in 2022, the most common initial attack vectors:
- 19% were compromised credentials,
- 16% phishing at
- 15% cloud misconfiguration
- 13% vulnerability in third-party software
- Attack vectors with longer mean times to identify and contain, such as phishing or business email compromise, were also among the most expensive types of breaches, 16.6% greater than the overall mean time to identify and contain a data breach. C
- Breaches caused by business email compromise had the second highest mean time to identify and contain, at 308 days. Business email compromise was also the second costliest initial attack
vector, with breaches costing an average of USD 4.89 million. - there was an average saving of USD 3.05 million from fully deployed security AI. Security AI and automation refers to enabling security technologies that augment or replace human intervention in
the identification and containment of incidents and intrusion attempts. - organisations with fully deployed security AI and automation took an average of 181 days to identify and 68 days to contain the data breach, for a total lifecycle of 249 days. Those with no security AI and automation deployed took an average 235 days to identify and 88 days to contain a breach, for a total lifecycle of 323 days, 74 days longer than organisations with fully deployed security AI and automation.
- Ransomware breaches took 49 days longer than average to identify and contain.
- a supply chain breach took on average 26 days longer to identify and contain than the global average
- the average total cost of mega breaches, involving 50 million to 60 million records was USD 387 million. for those involving 1 – 10 million records the average cost was USD 49 million.
Some of the basic steps included:
- use data classification schemes and retention programs to reduce the volume of sensitive information that’s vulnerable to a breach.
- use data encryption and fully homomorphic encryption.
- using an internal framework for audits, evaluating risk across the enterprise and tracking compliance
with governance requirements - deploying tools to monitor endpoints and remote employees such as:
- Unified endpoint management (UEM),
- endpoint detection and response (EDR) and
- identity and access management (IAM) products
- forming an incident response (IR) team and extensive testing of the IR plan. That involves routinely testing the plan through tabletop exercises or breach scenarios in a simulated environment such as a cyber range.
- adopt adversary simulation exercises, also known as red team exercises, to enhance the effectiveness by uncovering attack paths and techniques they might miss and identifying gaps in their detection and response capabilities.
The Australian Financial Review has undertaken a not bad analysis of the costs Optus might and probably will face in The Optus hack will cost millions (and not just in payouts).
Based on the experience of companies overseas, the Optus cybersecurity breach could cost the company hundreds of millions of dollars.
The minor move in the share price of Singapore Telecommunications, the parent of cyber-hacked telecommunications company Optus, is surprising given the likely heavy commercial costs from losing the data of up to 9.2 million customers.
Optus will suffer financial damage in two ways. It will lose profits to competitors as existing and potential customers go elsewhere. Also, its expenses will balloon to cover the cost of fixing its weak security defences and to compensate customers.
Both of these financial issues are hard to quantify because of the uncertainty about exactly how many people were affected, how many lost drivers licences and passports, and the extent of the liabilities borne by Optus for not stopping the hackers.
Neither Telstra nor TPG were crowing on Friday even though there are many individuals and corporations likely to rethink moving their business to Optus.
Mobile customers regularly churn from one telco to another to obtain better deals on plans and phones. Over the past few years, customers have been leaving TPG Telecom, which owns the Vodafone brand, to Telstra and, to a lesser extent, to Optus.
The industry’s economics started to improve this year after Telstra pushed through higher prices, and that was closely followed by Optus and TPG.
Optus chief executive Kelly Bayer Rosmarin could respond to the cyber hack by cutting the price of Optus’ mobile plans. But this strategy would only work if Bayer Rosmarin can prove to the world that Optus has fixed all of its data protection failings.
Assessing the damage
Restoring trust in the Optus brand could take a year. One thing in Bayer Rosmarin’s favour is that 65 per cent of her mobile customers are on postpaid plans that run for a minimum of 12 months.
Profits lost to competitors are likely to be small compared to the expansion in costs incurred in fixing the IT systems and paying compensation.
The overseas experience of companies which have lost a large amount of company data gives some indication of what may happen at Optus.
When Sony was hacked in 2015, it was forced by a United States judge to pay employees affected by the data breach a total of $US10,000 each to cover the cost of identity theft.
Only about 800 employees were entitled to this payment, which cost Sony about $US8 million.
A better example of the potential cost of large-scale data breaches can be found in the class action against T-Mobile, also in the United States. It was hacked in August 2021.
A class action resulted in a settlement for the data breach of $US500 million, which was split $US350 million for customers and $US150 million for repairing IT systems.
This worked out at a paltry $US4.38 a head for the 80 million people affected by the data breach.
Another infamous breach was the loss of data by credit monitoring company Equifax in 2017. It lost the customer details of 147.9 million Americans, 15.2 million British citizens and about 19,000 Canadians.
A settlement which received approval in February 2020 resulted in each of the customers being awarded a one-year, $US125 subscription to the Equifax credit monitoring service.
This was a pragmatic solution to the problem because it allowed each individual affected by the data breach to be alerted if a criminal tried to use their personal details to obtain a fraudulent loan.
Options on the table
This solution is being considered by Optus. But it was not clear on Friday whether it would extend it to all the customers whose data was stolen or only those who lost drivers licences and passports.
If Optus decides to be generous and offer every customer who lost data a one-year subscription to the local Equifax credit monitoring service it would cost $119.40 for each customer.
That would cost about $1 billion. This is an unrealistic number given that Optus could probably negotiate a reasonable discount. Also, it may only offer the service for six months which would cost substantially less.
It is highly likely this option will only be offered to those customers who had their drivers licences and passports stolen. This would be a much smaller subset of the total.
These customers are particularly vulnerable because once a criminal with skills in social engineering has a driver’s licence or a passport, they could take control of your finances.
This drastic scenario would include the criminal using the stolen documents to switch the customer’s mobile to another SIM card, which could then be used for two-factor identification.
One way of working out the financial damage to an individual from the data breach at Optus is to examine what the federal government regards as the price of privacy protection failure.
The way to do this is to look at the rules which underpin the federal governments My Health Records legislation.
According to the Healthcare Identifiers Act 2010, the penalty for allowing a person’s healthcare records to be stolen is 50 penalty points. According to the Australian Securities and Investments Commission, each penalty point under federal government legislation is $222 from July 1 this year.
If the class action lawyers latch on to this statistic then the total cost to Optus would be $2 billion.
Of course, the data records kept by Optus are not covered by this law. But the penalty does indicate what policymakers think of the gravity of a failure in privacy protection.
One issue that will have to be on the agenda of federal Attorney-General Mark Dreyfus is the law surrounding the protection of data and whether Australia should upgrade its laws to match those in the European Union, where General Data Protection Regulation has transformed the protection of data.
Dreyfus might also want to ask whether it was appropriate for Optus to be holding on to the records of customers who had left the company as far back as 2017.
Individuals directly affected by the Optus cybersecurity breach should consider themselves as potential identity theft victims.
Optus says customers should look out for any suspicious or unexpected activity across online accounts, including relating to bank accounts.
It says customers should be on the lookout for contact from scammers who may have their personal information. This may include suspicious emails, texts, phone calls or messages on social media.
Also, Optus advised customers never to click on any links that look suspicious and never provide passwords or any personal or financial information.
The websites that can be helpful are moneysmart.gov.au, and the identity fraud advice at oaic.gov.au.
Optus said it would contact all customers, but would not be sending any emails or texts containing links.