August 19, 2019

The Cost Of Identity Breaches

Cyndi Lauper made famous a song written by Thomas Gray called “Money Changes Everything”. One of the verses goes:

Money changes everything
I said money, money changes everything
We think we know what we're doin'
That don't mean a thing
It's all in the past now
Money changes everything

It seems that when it comes to identity access management and recent identity breaches, these words hold true even in the digital world.

Identity Breaches Abound

Despite all of the publicity for data breaches in the past decade and despite all advice to improve identity access management strategies, it seems there are still a large number of high-profile organizations who did not heed the warning breaches reported this year as a result.

CRN’s Michael Novison’s article titled “The 13 Biggest Data Breaches of 2019 (So Far)” reported

“Nearly 31 million records were exposed in the 13 biggest data breaches in the first half of 2019, according to information compiled by the Identity Theft Resource Center as well as other sources. Eleven of the thirteen largest breaches impacting medical and healthcare organizations, with one breach hitting a government agency and one breach striking an educational institution.”

The 13 breaches include:

  • Zoll Services: 277,319 records exposed
  • Navicent Health: 278,016 records exposed
  • UConn Health: 326,629 records exposed
  • Surgical Specialists of Spokane: 400,000 records exposed
  • BioReference Laboratories: 422,600 records exposed
  • Carecentrix: 500,000 records exposed
  • UW Medicine: 973,024 records exposed
  • Georgia Tech: 1.3 million records exposed
  • Immediata Health Group: 1.57 million records exposed
  • Federal Emergency Management Agency (FEMA): 2.3 million records exposed
  • Dominion National: 2.96 million records exposed
  • LabCorp: 7.7 million records exposed
  • Quest Diagnostics: 11.9 million records exposed

As you can imagine, the cost of each breach can be astronomical.

The Cost Is Still Staggering

The two highest profile breaches in recent years both reported specific costs recently. Specifically, the Marriot breach of 2018 and the Equifax breach of 2017 have updated the impact of their financial liability due to their breach in recent weeks.

A Wall Street Journal article titled “Marriott Takes $126 Million Charge Related to Data Breach” reported

Marriott International Inc. MAR -1.42% said Monday it booked a $126 million charge in the latest quarter tied to a massive data breach disclosed last year and lowered financial projections for the year.”

And maybe even scarier it went on to say

“Marriott faces a £99.2 million ($120.5 million) fine from the U.K.’s privacy watchdog over the data breach.

The Information Commissioner’s Office, U.K.’s privacy watchdog, said Marriott hadn’t done the proper due diligence when it bought Starwood in 2016 and that Marriott “should also have done more to secure its systems.”

This will be one of the first global companies to face the full potential of Europe’s strong privacy laws so the world will be closely watching for the outcome.

And not to be outdone by Marriott, Equifax has updated their exposure as well.  According to a BankSecurity article titled “Equifax's Data Breach Costs Hit $1.4 Billion

“Two years after the data breach, which began on May 13, 2017, and the company discovered and began remediating on July 29, 2017, resulting legal costs and investigations haven't stopped taking a big bite out of the company's bottom line.

On Friday, Atlanta-based Equifax announced its financial results for the first quarter of 2019, ending March 31, reporting a loss of $555.9 million, compared to net income of $90.9 million in the first quarter of 2018. Equifax's quarterly revenue was $846.1 million, down 2 percent compared to the first quarter of 2018 although up 1 percent on a local currency basis.

Sales barely missed analysts' average expectations of $852.9 million - less then a 1 percent difference - while the $1.20 actual earnings per share fell below analysts' $1.23 expectation, according to data from Reuters.”

The moral of this story is that organizations need to take decisive actions with their identity authentication strategy in order to prevent digital identity fraud.

How To Prevent Digital Identity Fraud

We have discussed at length on how prevention is superior to remediation, so it should come as no surprise that we believe the only way to mitigate digital identity fraud is to implement a continuous behavioral authentication solution which will prevent anyone from using credentials not their own, even if they came upon a legitimately initiated session where the legitimate user walked away leaving the session open.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Intellyx’s whitepaper titled  App Authentication Evolves in a World of Compromised Credentials today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.

Download Intellyx Whitepaper

identity Access Management continuous authentication identity breach