We finally know how much a data breach can cost

People have been estimating the costs of data breaches for years. But now, thanks to a renegotiated Yahoo/Verizon deal, we finally have a real number. And it’s HUGE!

We finally know how much a data breach can cost
Credit: Thinkstock

Everyone knows corporate data breaches can be expensive, but does anyone really know exactly how expensive? Recent estimates for the average cost have landed all over the map, ranging from $4 million to $7 million. But when it comes to the top end of the scale, those appraisals turn out to be laughably small.

+ Also on Network World: Everything you know about cyberwar is wrong +

The massive Yahoo data breaches of 2013 and 2014 now have a real cost attached to them, and it’s a couple orders of magnitude larger than those piddly estimates. Simply put, the breaches forced Yahoo to renegotiate its sale to Verizon, cutting the price by $350 million. 

Yep, $350 million. Almost a third of billion dollars. For a data breach.  

Sure, the Yahoo breach was ginormous, affecting an estimated 500 million accounts. That’s far, far larger than most breaches, but reportedly the stolen accounts did not include credit card numbers or other payment information. Furthermore, the $300 million figure doesn’t even include the standard issues used to calculate the costs of a data breach, such as remediation, loss of customers, business disruption, regulatory fines, legal costs, PR, notification costs and so on. 

Didn’t matter. The Yahoo breach didn’t just create these kinds of direct and indirect costs, it substantially slashed the value of the entire company. Instead of being sold for $4.8 billion, Yahoo’s investors will get only about $4.48 billion. 

Amazingly, a bump in Yahoo’s stock price indicates that those investors are thrilled. Apparently, the big worry was that the breach (and to be fair, Yahoo’s bungled handling of the issue) would cost even more—Verizon was said to be asking for a discount of up to $1 billion—or perhaps scotch the deal entirely. 

$350 million raises the bar—for now 

Still, if you think $350 million is the ultimate high end of what a data breach can cost, you’re not really paying attention. It seems certain that it won’t be long before even bigger, even more costly breaches will come to light. It’s even likely that breaches fitting that description have already occurred. We just don’t know about them yet.

And then there are costs that transcend dollars. Many observers believe data breaches swayed the results of the 2016 presidential election—and that similar efforts remain in play in politics and governments around the world. 

Clearly, there’s no real limits to the vulnerabilities to cyber attack of various kinds, from unimaginable amounts of money, to political control, and most terrifyingly, to outright, real-world, death and destruction. But maybe that whopping $350 million figure will help wake up IT, business, and government leaders to the need to take better precautions. Let’s hope so, anyway.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10