UK Authorities have just slapped Sony Playstation with a $400,000 fine for their massive password breach in 2011.
That $400k is nothing compared to the total cost. Sony reported an estimated outlay of $171M for insurance, customer support, and rebuilding their user management and security systems. Since the breach, partially due to a drop in customer confidence, Sony’s stock price has dropped from $30 to $13.
But, Sony was a Mega-Attack: 77 million exposed records. An attack on your user database will probably cost about $5.5M.
Symantec publishes an annual “Cost of Data Breach Study;” they survey breached companies and share fascinating tidbits and user security trends:
- The average attack costs a company $5,500,000
- ~$3M of that is from lost business: increased customer churn, costlier customer acquisition, damaged reputation and loss of goodwill
- On average, 28,349 records were compromised in an attack
- The cost to notify breached users increased, due to increased regulation
Notification is only going to become more expensive: the EU and UK aren’t the only places where data breaches can end up in the courts. One of the biggest mistakes Sony made was delaying their reporting of the breach. So far, 45 US states legally require owners of personal information databases to inform affected individuals in the event of a data security breach. Increased privacy legislation is coming to the US, too.
The good news is that more businesses are becoming proactive, and “more organizations are using data loss prevention technologies.” This dropped the average cost per breach from $7.2M in 2012. As more attackers are leveraging the power of the cloud for scaled attacks, more companies are fighting back with cloud security.
Sony wasn’t able to hide behind their defense; namely, that getting attacked is part of running a “21st Century business.” The rebuttal from the UK Information Commissioner’s Office was clear:
"There's no disguising that this is a business that should have known better. [Sony]…trades on its technical expertise, and … had access to both the technical knowledge and the resources to keep this information safe."
We started Stormpath to make those resources available to everyone. Even if you don’t need to do Level Five Password Security, secure password workflows and user stores are a great starting point.
If you want to read the whole report: Symantec 2011 Cost of Data Breach Study. And if you want a user management system that handles your workflows securely, use us for free.
Comments
While I agree that true security breaches are very serious issues and that Sony should have done more to protect their customers' data, I think the idea of fining companies for being hacked sets a pretty dangerous precedent for the software industry.
Are programmers now liable for not creating perfect, bug free software? In practical terms, there's no such thing as softtware without some holes or security flaws.
Do smaller businesses now have to double or quadruple their IT spending to make sure everything is thoroughly tested 50 times over before using some bit of software or risk incurring some massive fines?
This isn't to excuse Sony - I wouldn't choose to use them again in the future over this most likely - but just worried about the precedent this fine sets.
Are we now going to have legal advisers dictating what best practices should be to programmers? Are we now going to have lawyers judging software developers performance in trials?
That would be incredibly detrimental to business for just about everybody but lawyers.
Thanks for the thoughtful comment! You raise a great point. I think still-open the question is "what is a reasonable level of protection a user trusting a company with their data can expect?" While bug-free software is certainly unattainable, its reasonable for a user to expect a company to comply with their data privacy terms (for instance). I agree that the vague penalization of developers and businesses is unfair. But my read of the report is that public and government sensitivity to data privacy influences companies to build more trustworthy and secure systems.
Thanks for chiming in - the precedent risk is really good food for thought.
It's not even about them being fined for being hacked even though that's what it seems. It's the purpose that Sony had millions of people secure information and the system they was using to protect the information was subpar at most. With Sony being a big company they should have handled their customers private information more fairly, also for the fact when it did happen customers wasn't notified in a timely fashion that their information night be breached.
Well, we have no problem with slapping fines/imprisonment on civil engineers if their products fail. Granted, if their products fail, there is generally injury or loss of life. But why should we not be responsible for our ineptitude? Costing businesses a few extra bucks is not a good reason imo.
Well this really depends, At the end of the day people just dont care until after their breach and then all they want to do is point fingers at everyone apart from themselves.
one does not need to multiply their IT budget, test 50 more times, ar anything too costly simply they need developers that are capable of understanding what is and what isn't secure and implement based on industry best practices, not what one imagines security to be.
I was asked recently to do a security audit of a codebase. I prepared a extremely reasonable fixed price quote ( 5 grand for approx half a million lines of code, a solid week of work and a vuln. report/ email exchange with developers at the end of the process. )
Customer has failed to get back to me for about 3 months, the code that I was given to quote off is live now and has supposedly passed a internal security audit. (its a small company has 3 on-staff developers apparently with combined experience of over 35 years of development. )
They were notified the day that the quote was presented to them there were area's of extremely serious concern and it is highly likey that an attack will occur. The reason why this specific information has not been presented to them is based on the fact that if I don't get paid for work performed my family cannot afford food or housing so i am not in the business of providing any consulting for free.
The fact that the site/system is secure is plastered all over the advertising material and it is a professional service for companies in a large yet niche market with no other companies servicing it. at their pricing structure it appears that it will take 'half' a customer to become profitable, and they have 2 customers at the moment so its not like they are struggling for VC funding.
A preliminary audit (really just a grep of possible problem spots) of the codebase showed up LFI, Remote upload, poor password security, 'pretend' encryption / session management, SQL Injection in over 4 dozen fields, no data separation between test and live systems, unauthenticated ajax calls, , log files with 777 permissions (for god knows what reason.), in total there were over 500 area's of concern (but because this was a initial quote I only spent a few hours digging.)
The list goes on, if I black boxed it I still would have found enough to take over the server and remove all logs relating to the attack because some of the issues were so obvious that you could see them a mile off (e.g. checking file extension only in javascript for file upload, in one spot, checking file extension on the server for another file upload but taking a filename that is passed in as a another parameter, but that parameter is not checked for filename. )
A single attacker could quite easily obtain 50 to 100 credentials of staff per 'customer' as well as hundreds of 'public end user' credentials with only a few hours of work.
This article is the dumbest assortment of meaningless tech buzzwords and misunderstandings of security I have ever had the misfortune to read. I award you no points and I now feel dumber for having read it.
I hope you learn some basic skills with computers some day so that you might eventually become a contributing member of society instead of peddling this mind-blowingly retarded dribble and acting like you know something.
Well lawyers make $700.00/hr and the best programmers get $100.00/hr. Expect Expect to pay for security int the future.
Leave a comment