As the National Australia Bank (NAB) manages the fallout of a significant data breach, new research has found that Australian businesses are getting slower at identifying and containing data breaches – whose average cost increased 14 percent over the past year, to an average of more than $3m.
The NAB breach occurred when personal information of around 13,000 customers – including name, date of birth, contact details, and driver’s license or other government identifying numbers – was uploaded to the servers of two data service companies.
A contrite Glenda Crisp, chief data officer with the NAB, said in a video statement that the breach was the result of human error – and that NAB passwords and logins remain secure.
“We understand how this has happened and are putting in place methods and processes to prevent it from occurring again,” she said.
The bank is “moving quickly to proactively contact every person affected,” Crisp said, noting that it had reached out by phone, email or written letter to each affected person and had a dedicated specialist support team available 24/7.
NAB will foot the bill for any documents that need to be reissued, and will also pay for “independent, enhanced fraud detection identification services for affected customers”, the bank said.
Counting the cost
The NAB breach may not have been massive relative to some of the breaches now being revealed around the world – most recently, Facebook was fined $US5 billion for its privacy violations and Equifax reached a $US700m agreement – but its total cost may nonetheless be considerable.
The average data breach over the last year involved 25,575 records and costed $US3.92m ($A5.67m), according to the newly-released IBM Security-Ponemon Institute Cost of a Data Breach 2019 report, which surveyed 507 organisations across 16 countries.
Breaches due to human error costed an average $US3.5m ($A5.1m), while misconfiguration of cloud servers led to the breach of 990m data records last year – 43 percent of all records lost during the year – and left key systems exposed to exploitation by cryptojackers and other cybercriminals.
Small businesses were particularly vulnerable since the average costs of $US2.5m ($A3.6m) could represent a significant percentage of their annual revenues.
Longtail costs from breaches were also significant, the report noted: while 67 percent of overall costs were incurred within the first year of a breach, 22 percent of costs were incurred in the second year and 11 percent more than two years afterwards.
This could represent a significant ongoing cost for companies that suffer large data breaches, with ‘mega breaches’ of more than 1 million records costing an average $US42m ($A61m) in losses.
“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services, in a statement.
“With organisations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”
Dealing with breaches, faster
Regularly testing and practicing incident-response plans was singled out as a particularly effective way to reduce breach costs, with companies reducing their average data breach cost by $US1.2m ($A1.8m) when they both developed and tested such plans.
Australian organisations, on average, lost $3.05m in costs this year alone – up 14 percent on last year – and businesses were taking longer to identify and deal with the breaches once they had been spotted.
Average time to identify a breach increased from 185 days last year, to 200 days this year. Once identified, the time to contain breaches had increased from 75 days to 81 days.
Those figures bode poorly in a climate of intensifying cybercriminal activity: a recent Symantec analysis, for one, noted that scam emails had increased by 50 percent during the first quarter of this year alone. And a recent Barracuda Networks study suggested that nearly a quarter of email breaches had costed over $100,000 – probably much more than $100,000, if the new figures are any indication.