When it comes to Magecart-style attacks, it’s no longer a matter of “if”, but “when”. We all know that data breaches cost companies money, lots of money. According to a study by Ponemon, the global cost of an average data breach in 2018 was $3.86 million. That’s 6.4% higher than the previous year, and these numbers are only expected to continue growing.

This number is just the average. Many breaches incur much higher costs. For example, the famous Equifax breach in 2017 led to $439 million in costs in 2018.

At Source Defense, we are specifically focused on preventing breaches generated by website supply chain vendors. All those great tools that most websites are working with today: Chat service, billing mechanisms, analytics, ad injection and more.

For businesses, big and small, such third-party services enhance the user experience for their customers and contribute to their bottom line. For hackers, they are an easy point of entry that can be used to access the website’s sensitive data, as they provide an unmanaged connection between 3rd party JS vendors’ servers and the clients’ browser, which enables hackers to gain unlimited access to the web page, assume total control, and enjoy the same privileges as the website owner.

These types of breaches are becoming more frequent every year. In early December 2018, Quora announced a breach as a result of a “third-party” that compromised 100 million accounts.

British Airways, T-Mobile, and Ticketmaster are only a few of the breaches you may have heard of in 2018, some of which were also a result of vulnerable third-party JavaScript code. Some security experts claim the Ticketmaster breach was a direct result of a faulty JavaScript code provided by a third-party vendor.

Of course, all of the above are huge companies that made a mistake. This couldn’t possibly happen to you, and even if it did, the costs wouldn’t be nearly that high, right? Wrong! Let’s take a closer look and see what a breach to your website could actually cost you.

Direct Cost of a Data Breach

We’ll start with the easy and most obvious costs you’re likely to incur.

  •  Fines:

Once a data breach is announced and reported, companies are likely to face fines depending on their location, the location of their target audience, and the regulation they must comply with. According to the GDPR that took effect in 2018, a company can be fined up to €20 million or 4% of its global revenue the previous year. Fines can increase if a breach is not announced as soon as it occurs. For example, Ticketmaster could be fined up to 4% of annual turnover or £17 million, whichever is higher

  •  Legal Fees:

Following a data breach, a company is likely to incur legal fees in order to handle lawsuits, communication with government organizations, banks, etc. In 2013, Target’s data breach affected 41 million consumers. In the years that followed, Target paid over $40 million in legal fees.

  • Settlements & Damages

Lawsuits and class-action lawsuits are common following a breach. Legal fees aside, companies often incur additional fees in settlements as a result. That same Target breach resulted in approximately $68.5 million in settlements alone. This doesn’t include the $172 million the company paid as part of their settlement with financial institutions.

  • Security Professionals

Once a data breach is discovered, it needs to be handled by cyber-security experts. This usually involves hiring additional personnel to investigate the breach, stop it, and prevent it from happening in the future.

  •  PR

PR firms and experts are often hired after a breach to handle the breach aftermath that many times includes a brand reputation crisis.

These costs can be easily predicted and measured in most cases, and they are enough to bankrupt a company on their own. That being said, they’re just the tip of the iceberg. The bigger and more significant costs are indirect, hidden and in many companies go completely under the radar, until it’s too late.

Indirect Costs of Magecart-Style Attacks You May Have Missed

Once a breach occurs, it activates a long chain of events that happen in the background. While you’re busy hiring lawyers and dealing with lawsuits, a lot more is going on right under your nose, and just because you can’t see it off the bat, doesn’t mean you’re not paying for it.

Here are a few of the indirect and hidden costs you should consider when evaluating the cost of a data breach.

Irreparable Damage to Your Reputation

Reputation is a fragile thing. It takes years to build, and moments to destroy. When a breach occurs, your target audience feels betrayed and angry. The initial cost of this can be seen in lawsuits, but there is far greater cost that can last for years. Consumers make decisions with their wallets, and are likely to buy elsewhere once they feel that a brand cannot protect their data. Naturally, this affects the company’s bottom line directly, but it can make hiring harder, as even the most skillful headhunter will have difficulties convincing top talent to work for a “breached” company. Furthermore, this can negatively affect the personal business reputation of each person on the executive team, and affect their own future endeavors. Stocks drop, the team is affected, and revenues plummet. Unlike a fine, which can be paid and forgotten, reputation cannot be fixed so easily. In many cases, the damage is irreparable. The Equifax breach, for example, cost the company much more than what they paid in fines, settlements, and legal fees; most of the executive team left (CEO, CIO, and CISO) and the stock dropped by almost 40%. In 2013, Yahoo was breached and 3 billion accounts were affected. As a result, when Yahoo was acquired by Verizon, it lowered its asking price by $350 million.

Loss of Customers to Competition

Organizations invest a lot of resources to expand their customer base, and even more to retain and upsell to existing customers. This is because they know that they can easily leave. In today’s age, access to data is easy and consumers can conveniently weigh their options in any service they need. From user experience to customer support perspectives, companies of all sizes understand that their audience has the power to choose where they want to go and spend. A data breach is an easy way to convince customers to go elsewhere, where their credit card information, address, or other sensitive data will be secure. While a lot is spent on PR after a breach, it cannot fix a reputation that is broken, as already discussed above. A breach often results in an instant drop in existing customers. It also affects the influx of new customers, which is more difficult to measure. Companies often lower prices or offer additional bonus services to entice customers to choose them. The bottom line is a drop-in revenue and ongoing business.

In-House Chaos

There are certain things that happen once a breach is detected. This includes communicating with the company’s teams to update them on what happened and decide on how to move forward. Often, this leaves everyone in disarray and disrupts the company’s regular routine. The result can be chaotic:

Alerting everyone in the company and maintaining calm is not easy. Employees start to worry about their jobs and their own reputation. This affects the work environment and everyone’s productivity. 

Existing employees need to be trained on how to handle calls, speak to customers, and communicate about the breach. This takes time and money.

As soon as the breach becomes public knowledge, there will be an influx of emails, calls, letters, and support tickets from concerned customers. Existing staff may not be enough to handle this efficiently, which leads to additional costs of hiring and onboarding.

Employees start working in “emergency mode”, which means that roles can change to handle the breach and take care of damage control. This is usually at the expense of the ongoing business, so while the company tries to mitigate the damage, they don’t realize the additional losses as a result. 

Damage control is not something anyone can do at a moment’s notice. It requires a well-oiled machine of trained and experienced employees. Hiring such a team is critical to mitigate the damage as much as possible, which can be a significant expense. Without it, an inexperienced team can do even more damage to the company’s reputation and revenues.

Development Delays

Companies are usually working on new developments, features, and upgrades to enhance their products and offerings and keep up with competitors. Dealing with a breach halt this activity in most cases, which leads to significant launch delays.

Finding a Replacement

This may sound obvious, but it’s often missed as an expense. A breach results in downtime of the specific 3rd party service/tool that was affected. For example, if the breach was via an analytics tool, the company will have to take into account a period of time without that service at all, until they find a suitable replacement. It takes time and resources to choose a replacement, and in some cases, the feature is critical to the company’s sales activities, which could affect revenue.

So, Back to third-party JavaScript Tools. Should We Stop Using Them?

All websites are vulnerable to the risks that third-party JS providers pose. Does that mean that you shouldn’t use these services at all? No. A company does not need to compromise its user experience and service in order to protect its website and data. Addressing this risk starts with understanding that it’s there, and that the potential cost is far greater than initially thought. We believe that the solution lies in prevention; total and absolute prevention. Prevent the breach from happening altogether, and voila! You can enjoy as many supply chain JS tools and vendors as you need to maximize your business.  Remember, once a breach occurs, it doesn’t matter that it started with a third-party JS vendor. As far as your customers or other compliance organizations are concerned – you are at fault and it is your responsibility.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.