Photo of computer cables with label Data Breach in red

The Anatomy of a Breach

Video Anatomy of a Breach

Let’s start with some findings relating to the breach, current events.  A mega-breach is more than a million rows of data loss or stolen.  A million records are not hard to get to these days and if breached, the remediation expense is the heaviest in year one, two thirds, year two is twenty-two percent and then eleven percent for the out years, but as experience would tell us that toward the end of an event like this, the last eleven percent will cost you about half your money and half your time.

Who’s breaching you, fifty-one percent is your classic hackers, outsiders, out there to just get some financial gain and steal identities.  You can basically divide a breach into three motivated categories: identities, finances, and health.  Identities have value for impersonation, people trying to use your ID to get a job, travel, and more.  Financial thief is all about what it sounds like, taking someone else’s money, steal a credit card, and use it until it dies.  A medical record thief has the most value, a complete identity kit. The dark web calls this thief “The FullZ”, everything you need to build a new life. Twenty-four percent of breaches are human error, those are your employees clicking on websites not knowing what they’re doing and downloading malware or getting phished via email.  Twenty-five percent of breaches are from system glitches, this one makes me smile because a system glitch is something that breaks but then fixes itself. In software systems, to me, that’s just bad coding and “fixes itself” is when services are restarted, or computers are rebooted.  Hackers are always looking for bad coding or what we call “vulnerabilities”.

Another important statistic today is the likelihood of being breach, in 2020 you are one third more likely to get breached in the next two years, if you’re sitting at a table right now with someone to your right and left, you, one of them are going to get breached.

The anatomy of a breach is a collection of events and the time they play into.

Source: Paperclip

January: For the last 279 days on average the hackers have been sitting in your system undetected.  They have figured out through elevated access, privileges, passwords, and discovery, for almost nine-plus months, they now have all your data and now you just discovered it!  Equifax hackers sat in their systems for ninety days until they were discovered.  The CEO is briefed, the board of directors is briefed, everybody pulls out the playbook or the incident plan, and hopefully, everyone has one so, they can determine the next play to call.

February: Well that is obviously to your breach law firm, every organization should have a law firm with breach experience.  I mean, through contracts or any type of cyber questionnaires or surveys about breach notices, the lawyers are running the show.  Do not think your employees will be calling customers telling them that they just got breached and we lost all your NPI, PII, and PHI, the law firm is going to manage communications.  Your job is to start determining how many records are stolen, isolate the vulnerability, and plug up the hole.

March: The law firm has now picked a cyber forensic firm, they’re working very hard collecting information, interviewing your I.T., other individuals concerned and other people in the firm are researching and assessing federal and state laws.  They’re trying to understand, what the level of the breach is and are there any safe harbor exemptions.  Then the next decision is how and when to contact law enforcement if they didn’t call you first.  Many times, a company first hears of the breach when law enforcement calls them because they found data related to you there.

April: Public relations firm is now selected; somebody has to go out and tell the world that this breach event has happened.  So, they are being coached by the law firm, and forensics firm and everyone agrees when to go public.  It now tracks pretty well that seven percent of your customer base is lost, and that means they’re not coming back.

May: In May, public relations is fully engaged, the forensic reports are coming in and you now know who, what, when and where about the breach.  Full knowledge of the breach, on average, takes 73 days.  Once all that information comes in 30% of those breach companies, fire the CIO or CISO.

June: With all the reports coming in, we now have identifiable, quantifiable records to address.  The company, the law firm, and the PR firm gather and decide on what credit monitoring to engage.  It is very clear now on what state and federal laws that must be adhered to.

July:   Credit monitoring selected is directly related to the information stolen.  Identities are going to cost you about ten to fifteen dollars if that included financial information you’re getting up there around fifty bucks, and if that also included medical information then you’re nipping at a hundred dollars per record.  So this is where the big money starts to spend, now you’ve spent ten million dollars, just to go out and protect people’s credit for a year, and just so you know, the average shelf life of people’s data is four years.  Back at the ranch, the law firm is talking to your employees involved that have any information that could help. The real critical part of this is they are looking for the decision of negligence, a breach of duty because a finding of gross neglect down the road here is going to be a multiplier for what’s coming.

August: The law firm in August is now answering all the federal and state inquires, they know what they must report, to whom, and by when while starting those interviews. Now the board of directors has decided if the CEO stays or goes, three out of ten CEOs are terminated.

September:  When the Board reaches decisions like that, they’ve pretty well figured out who they’re going to hire.  The interesting thing here with the new CEO, CIO or CISO, they’re looking for people, oddly enough who have breach experience, the experience that will navigate them over the next few years.  Public relations remain engaged, they’re running with the company message, working its reputation, getting out there as much positive information and truthful information as they can.  Now all the people who are going to be hurt and become victims form up and start bringing civil actions.

October: The new CEO and team have decided on what enhanced security they want to deploy immediately, they promised to increase the cyber budget by two or three times and everybody in the company has to go through cyber training, multiple times.

November: The federal and state fines are being levied, you know how much they want, and a lot of its being driven again by the type of information was taken.  Equifax in federal and state fines has paid over $700 million dollars.  Public relations are continuing their work.

December: The legal group continues the civil actions; public relations continues working and settlements are being agreed upon.  Your one million record data breach has cost you now $48 million dollars.  Two thirds, so as you can see when you start taking that out over the next couple years you will be nipping at a $100 million dollars.

Let’s turn the conversation now to the people whose’s data that you’re entrusted to protect has been effected.  The average of victims is losing $197 dollars. If they are a casualty of this breach, they could lose their job or contracts to no fault of their own.

The psychological effects of anger, annoyance, cheated, and as you can see most everybody just has a sense of helplessness.  What is interesting here is that cyber-crime today in 2020, is tracking with what we’ll call, physical crime, assaults, and burglaries. People have that same emotional stress now about their electronic records as they do about their property.

Back at the shop employees have reputational issues, you have already lost some of your key members and soon other staff will be lost.  Those that work with the customers constantly having to defend and promised that they can and will do better.  The media is just negative press, you lost their data, how dare you lose their data. Social media is just disruption and the people get a negative perception of technology; when someone really wants to come out and tout something new, they just see it as another chance to be robbed.  Moral, for obvious reasons, has reached a low point and that’s where the leadership has to come in positive action and positive leadership.

Economically, $197 dollars doesn’t sound like a lot, but when you take it times a million that’s a $197 million dollars of money that are coming out of the people that trusted you to protect their information, and some of them will never be made whole.  Example: in the 2020 settlement for Equifax, the court capped the top line claim to twenty thousand dollars.  If you lost thirty thousand or fifty thousand, you lost money and you are not getting it back.


Of course, with all these individuals, and the way they feel eighty percent of them said they will continue to use the internet despite the risk, so they will just become victims again when the next group gets hacked.  Equifax lost control of 150 million records consisting of identities and financial information, almost half of Americans.  To date, Equifax has paid out over $1.3 billion dollars.