Some 124 new data breaches have become known this year as of Feb. 16, the Identity Theft Resource Center reports. And the White House’s Council of Economic Advisors issued a study last week pegging the cost of malicious cyber activity to the economy in 2016 at $57 billion on the low end to as high as $109 billion.
The ITRC, a San Diego-based non-profit that tracks data breaches and monitors cyber security issues, says 2.88 million records have been exposed in the breaches covered by its latest report. The breaches involve retailers, financial institutions, schools, hospitals and medical offices, and other entities. But many of the breach filings do not have an estimate of the number of payment card numbers, bank account numbers, Social Security numbers or other sensitive personal and financial information stolen, so the actual number of compromised records is likely much higher.
The biggest known card-related recent breach involves the Beaumont, Texas-based Jason’s Deli restaurant chain, in which malware installed on point-of-sale terminals led to the possible compromise of 2 million payment cards. Depending on the issuer, exposed information included such data as card numbers, cardholder names, expiration dates, and verification values.
The ITRC reports breaches as they become known via the media, disclosures to state agencies, and other sources, not necessarily when they started. In the Jason’s Deli case, the malware reportedly began harvesting card data last June 8. The chain said it was informed Dec. 22 by processors that a large quantity of card data had come up for sale on the dark Web, and some of the data may have come from cards used at Jason’s Deli locations. The company on Dec. 28 gave a statement without an estimate of cards compromised to the KrebsOnSecurity.com news site, which broke the news. An updated statement in January included the 2 million figure.
Meanwhile, the Council of Economic Advisors’ report says “damages from cyber attacks and cyber theft may spill over from the initial target to economically linked firms, thereby magnifying the damage to the economy.” The Council reviewed data from a variety of sources to come up with its estimates, but a key component involved an examination of the effects of news about 280 “adverse cyber events” on the stock prices of 186 firms.
“We estimate that, on average, the firms in our sample lost $498 million per adverse cyber event,” the report says.
The 62-page report devotes relatively little space to card-related data breaches, but does highlight the costs of the 2014 breach at The Home Depot Inc., which compromised 56 million credit and debit cards and 53 million email addresses. Citing figures from the Atlanta-based home-supply warehouse chain, the report says Home Depot has incurred roughly $300 million in losses since the breach.
“Net of insurance payments, the company has spent $200 million to provide credit monitoring for affected customers, and it also had to hire additional staff for its call center, investigate and upgrade its security network, and pay fines and legal fees related to the breach,” the report says.
In addition, card issuers incurred expenses of roughly $8 in fraud and re-issuance costs per affected card, bringing their total to $440 million, the report says, citing data from the Credit Union National Association.