Massive Data Leaks Keep Happening Because Big Companies Can Afford to Lose Your Data

The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here .

Listen to Motherboard’s new hacking podcast, CYBER, here.

If you live in the United States, there's almost a 50 percent chance your personal data was lost in the giant Equifax data breach a year ago of 143 million records. Google had its own data breach in October this year that exposed data on as many as 500,000 accounts. Or the most recent Facebook breach of data from 29 million users. Or, over the last five years alone, major breaches at Anthem, eBay, JPMorgan Chase, Home Depot, Yahoo, Target, Adobe … but you get the point. If it's day that ends in “day,” there must have been another major data breach that keeps criminal hackers gainfully employed by selling your information.

Bad guys keep getting smarter, experts say. Why not corporations? The short answer is, because it's not worth their trouble.

Small potatoes

Companies take risks to make profits. When the downside is small, they stay risky.

The 2018 Cost of a Data Breach Study from the Ponemon Institute and IBM pegs average costs per data breach globally at $3.86 million, including IT expenses, insurance, notification, and lost customers and business. In the US, the average is $7.91 million.

That might sound like a lot to you, but that number doesn't exist in a vacuum. The 477 companies studied had between 1,000 and 100,000 employees, with annual revenues from $100 million to more than $25 billion. To these companies, the cost of a breach "is a rounding error," said Larry Ponemon, chairman of the research firm, in a phone interview. "The company spends more money buying coffee for its office workers."

And then, the chance of a material breach over two years is 27.9 percent. That means an average annual cost globally of $538,000, or $1.1 million for US companies.

Costs of protection

On the other side of the equation are cybersecurity costs.

"You can't ever make your system 100 percent secure," said O. Sami Saydjari, author of Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time. "You have to make an investment decision."

On average, companies spend 3.3 percent of their revenues on IT, according to professional services network Deloitte. Saydjari says that cybersecurity budgets are usually 3 percent of that: 0.1 percent of total revenue.

And then there are cyber incident insurance policies that can cover a number of things, including data breaches. NetDiligence, a cyber risk assessment company, does an annual study based on reported insurance claims. The average amount spent by large companies on a breach, when it happened, was $5.9 million. Assuming for a second that companies pay insurance when the cost is less than the actual incidents, chances are that annual expense is even lower than the incident costs. To put it differently, cyber insurance costs make breaches even more affordable.

Executives focus on things that make a big difference to the company. Breach and protection costs are so small that they get little attention. Insurance is likely to be on the same scale or less. When management doesn't see something as an important financial priority, it doesn't get done.

Talking about my reputation

Saydjari argues that the full costs of a breach, particularly a massive one that attracts a lot of media attention, are much higher than executives realize. The Ponemon study agrees in part, estimating that for tens of millions of records, the price tag is more like $360 million, including expenses of addressing the problem, notifying customers, and lost sales and brand damage. But those breaches for a single company are usually rare. As part of standard risk management, companies will anticipate the costs and assign an annual contribution to overhead. The amounts are so small relative to revenue and other expenses, they quickly vanish to the unaided executive eye.

That doesn't count the impact on stock price or on potential consumer revolt: in other words, reputational damage. But how far does it go? Facebook saw a hit after the Cambridge Analytica scandal, but the stock quickly recovered and headed toward new highs. The 20 percent drop in July was about slowed user growth and missed earnings, according to MarketWatch. After its data breach, Equifax stock lost more than a third of its value, took three months to even earn half of that back, and a year to get within 6 percent of the former price, which made it an outlier compared to other breaches. And the news surrounding it—the CEO resignation with $18.4 million in pension benefits, the music-major chief security officer—only added to its status as a breach far worse than the average.

The markets tend to forget quickly. We consumers do so even faster, according to trust studies Ponemon has done.

The firm examined Facebook user perceptions of trust after a major breach. The percentage of people trusting the company with their personal data plummeted from 78 percent to 25 percent overnight, according to a separate Ponemon study. But "very quickly the company went back up to 30 then 50 then 60 [percent]," Ponemon said. Within two months, everything was largely back to normal. He's seen the same pattern in other companies: 2 to 3 months later, people forgot about the issue. Part is because they wanted to keep using a service or product—often ones without an easy replacement. And stocks of major companies that took big hits in the past don't seem permanently mired. In fact, for most you’d have a difficult time, looking at a stock chart, to pinpoint where the problem occurred.

It's a new meaning of too-big-to-fail. As long as we go back after major breaches, companies won't sweat the small stuff.