Cyber attacks have been on the rise in recent years, with hackers and cyber criminals finding new ways to infiltrate systems, steal data, and disrupt operations. Some of these attacks have come with an extremely high price tag, costing companies and governments billions of dollars in recovery efforts, legal liabilities, and lost revenue. When looking at the most financially damaging cyber attacks in history, a few major events stand out for their massive price tags.
The WannaCry Ransomware Attack
One of the most well-known and impactful cyber attacks was the WannaCry ransomware attack that took place in May 2017. This malicious software encrypted files on infected Windows computers and demanded ransom payments in Bitcoin to decrypt them. It spread rapidly through vulnerable networks, bringing down systems for major organizations worldwide. While hard to pinpoint exact figures, WannaCry inflicted damages estimated between $4 billion to $8 billion.
WannaCry initially targeted computers running outdated and vulnerable versions of Windows software. It exploited a Windows vulnerability that had been developed by the United States National Security Agency (NSA) and leaked online. Because many systems hadn’t installed a Microsoft patch that resolved this issue, the ransomware was able to spread quickly and widely once unleashed.
Major victims included the National Health Service (NHS) in the United Kingdom, which saw approximately 70,000 devices infected. This caused significant disruptions to medical facilities and patient care. Other high-profile targets included FedEx in the U.S., the Russian Interior Ministry, and telecom companies like Telefónica in Spain. With so many critical systems locked down, the overall financial fallout was massive.
NotPetya Malware
On the heels of WannaCry just weeks later, another destructive piece of malware surfaced called NotPetya. It also took advantage of the same Windows vulnerability and functioned similarly in terms of encrypting infected hard drives for ransom. However, NotPetya proved far more wiper in nature, permanently destroying vast amounts of data. For this reason, it inflicted even heavier damages, estimated between $10 billion and $15 billion.
NotPetya initially targeted companies in Ukraine, including government agencies, banks, power companies, airports, and public transit. It quickly spread globally, impacting major brands like shipping giant Maersk, pharmaceutical company Merck, and food producer Mondelēz International. By permanently wiping data and severely disrupting operations, NotPetya gravely impacted bottom lines.
Maersk reported nearly $300 million in related damages. Global supply chains dependent on its shipping services also took major hits. FedEx’s European subsidiary TNT Express suffered around $400 million in disruptions from the malware. And with 19,000 infected systems, Mondelēz stated the incident cost them around $188 million and 10% loss in quarterly revenue.
Yahoo Data Breaches
Some of the most expensive cyber attacks have come in the form of massive data breaches that exposed billions of sensitive user account details. In 2016, Yahoo revealed that hackers had stolen data associated with up to 500 million user accounts in late 2014. This included names, email addresses, telephone numbers, dates of birth, passwords, and security questions/answers.
As if this didn’t already inflict substantial costs in remediation and legal liabilities, it was revealed in 2017 that a 2013 data breach had compromised all 3 billion Yahoo user accounts existing at the time. Specific figures aren’t known, but cumulatively these attacks have cost Yahoo around $350 million. Verizon later reduced its acquisition offer of Yahoo by $350 million following revelations of this massive account compromise.
Sony Pictures Hack
Entertainment giant Sony Pictures was the victim of a devastating cyber attack in 2014 by a group called the Guardians of Peace. This has been attributed by the FBI and other agencies to North Korean state-sponsored hackers. The attackers managed to decrypt and release huge troves of confidential data from Sony’s network, including upcoming movie scripts, internal emails, and employee data like salaries and social security numbers.
The motive appeared to be preventing the release of The Interview, a Sony film centered on assassinating North Korean leader Kim Jong-Un. The attackers threatened violence against any movie theaters that screened it. Ultimately, Sony decided to cancel the movie’s formal premiere and mainstream release. Still, the hack had lasting ramifications. Leaked information proved highly embarrassing for executives and staff. Sony estimated total damages at around $15 million, including $100 million in IT repairs.
Anthem Health Insurance Breach
In February 2015, Anthem Inc, the second-largest health insurer in the U.S., discovered a data breach impacting nearly 80 million customer and employee records. Hackers accessed names, birthdays, social security numbers, street addresses, email addresses, incomes, and employment information. This remains one of the largest healthcare data breaches to date in terms of overall records compromised.
In 2017, Anthem settled a class action lawsuit for $115 million. The company also reportedly spent $260 million in 2015 and 2016 dealing with the cyber attack’s aftermath. Costs included IT recovery efforts, legal services, and credit monitoring for impacted individuals. With nearly 40% of Americans receiving coverage through Anthem, this breach demonstrated how a single hack can impact tens of millions.
Target Customer Data Breach
Back in late 2013, big box retailer Target experienced a massive breach leading to 40 million payment card numbers and 70 million customer details being stolen. This occurred at the peak holiday shopping season, allowing hackers to capture prime target data. Compromised information included names, mailing addresses, phone numbers, email addresses, and credit/debit card numbers.
The results proved seriously damaging for Target. The company reported $162 million in breach-related costs by mid-2015, including payments to card networks for fraud losses and costs to enhance their POS systems and software. However, a $39 million class action settlement with banks and credit unions affected by fraudulent purchases brought the total up to around $200 million. Target also paid approximately $67 million to settle claims with affected customers.
Adult FriendFinder
Dating and adult website Adult FriendFinder experienced a major security breach in 2016 that exposed very sensitive data on over 400 million user accounts. Information included names, emails, dates of birth, passwords, browser data, sexual preferences, and in some cases, whether they were seeking extramarital affairs. Given the site’s nature, this proved incredibly damaging.
The company was already struggling financially, and this hack is credited with putting their parent company FriendFinder Networks Inc. into bankruptcy. InfoArmor estimated the cyber criminals behind the attack could make $173 million selling the stolen data. Adult FriendFinder was also hit by multiple denial-of-service attacks that inhibited its operations. When accounting for these follow-on impacts, the overall costs were substantial.
Equifax Credit Reporting Agency Hack
From May to July 2017, the Equifax credit bureau was the victim of a severe data breach that exposed the personal information of nearly 150 million Americans. Data included names, Social Security numbers, birthdates, addresses, driver’s license details, and credit card numbers. This represented about half the U.S. population and impacted Equifax’s operations throughout North America and the U.K.
Following the attack, the value of Equifax’s stock declined by over 30%. The company spent $400 million in 2017 on IT security and legal support related to the breach. This included a $700 million settlement with the Federal Trade Commission. They also agreed to pay up to $425 million to compensate individuals for stolen information, credit monitoring, and other remediation. When factoring in lost business and investments in data security, the overall cost exceeded $1.4 billion.
Uber 2016 Data Breach
In 2016, Uber sustained a data breach impacting 57 million rider and driver accounts globally. However, this attack was hidden by the company for over a year until new Uber leadership went public in late 2017. Compromised data included names, emails, phone numbers, and driver’s license info. Uber agreed to pay $148 million in a settlement with state authorities over failure to disclose the breach.
Besides legal penalties, Uber faced major indirect costs from reputational damages. The incident contributed to Uber’s overall brand crisis at the time in terms of public trust. Their CEO ultimately stepped down following scandal over the breach and separate sexual harassment allegations at the company. The combination of fines, distrust from the public and investors, and resulting leadership shakeup made this a very costly cyber event for Uber.
Conclusion
Major cyber attacks often make headlines, but the longer-term costs behind the scenes can be astronomical for targeted organizations. Between business disruption, remediation expenses, legal liabilities, reputational harm, and loss of customer trust, impacts routinely reach hundreds of millions or even billions of dollars. For massive companies like Yahoo, Uber, Target, and Equifax, massive data breaches have each cost them anywhere from $200 million to over $1 billion.
Healthcare, retail, tech, insurance, and many other industries have proven vulnerable to different forms of compromise. Ransomware attacks like WannaCry and NotPetya have crippled critical infrastructure systems and destroyed data on a wide scale. While cyber security measures continue to advance, successful attacks are inevitable given the rewards for criminals. Major companies need to take proactive steps to manage and mitigate breach costs. But also plan thorough response strategies for the major incidents likely to occur in the future.
Cyber Attack | Industry | Year | Impact | Estimated Damages |
---|---|---|---|---|
WannaCry Ransomware | Cross-industry | 2017 | Encrypted files for ransom | $4 – $8 billion |
NotPetya Malware | Cross-industry | 2017 | Permanent data wiping | $10 – $15 billion |
Yahoo Data Breaches | Technology | 2013-2014 | 3+ billion accounts exposed | $350 million |
Sony Pictures Hack | Entertainment | 2014 | Confidential data theft | $15 million |
Anthem Health Breach | Healthcare | 2015 | 78 million records exposed | $260 million |
Target Customer Breach | Retail | 2013 | 70 million customer details stolen | $200 million |
Adult FriendFinder | Technology | 2016 | 400 million accounts exposed | Bankruptcy |
Equifax Breach | Financial Services | 2017 | 147 million Americans impacted | Over $1.4 billion |
Uber Data Breach | Technology | 2016 | 57 million user accounts exposed | $148 million |