Apart from information leaks and reputation damage, data breaches cause a huge financial impact on organizations globally. Ever since the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) came into effect, data regulators got stringent about organizations that are not serious about their consumer data protection.
By Rudra Srinivas, Feature Writer, CISO MAG
A recent survey on the financial impact of data breaches on organizations revealed that security incidents cost $3.86 million per breach on average for companies. It is found that around 80% of security incidents resulted in the exposure of customers’ personally identifiable information (PII), which in turn led to huge losses for businesses.
Various organizations have been slammed with sizable fines and settlements for data breaches or misusing customers’ information. The year 2020 has witnessed a significant number of organizations that settled their long-awaited class-action lawsuits. These include:
1. Hanna Andersson
U.S.-based kids wear retailer Hanna Andersson recently agreed to pay $400,000 to settle a data breach lawsuit related to the California Consumer Privacy Act (CCPA). The lawsuit claimed that Hanna Andersson and its third-party vendor Salesforce violated the CCPA by exposing customers’ personally identifiable information (PII) in a 2019 data breach. Unknown threat actors compromised Hanna’s retail website in December 2019. The attackers stole credit card details, including customer name, payment card number, CVV code, expiration date — along with billing and shipping addresses from the checkout and payment page of the online portal.
The class-action lawsuit, which is the first monetary settlement under CCPA, was filed in the U.S. District Court for the Northern District of California in February 2020. As per the settlement, more than 200,000 U.S. customers, who made purchases from the Hanna Andersson online store from September 16 to November 11, 2019, will receive $500 to $5,000 compensation.
2. Home Depot
The popular U.S. home improvement retailer Home Depot Inc. recently agreed to pay $17.5 million to settle a multistate investigation related to a data breach, which occurred between April 10, 2014, and September 13, 2014. The threat actors illicitly accessed the payment card details of 40 million customers. Cybercriminals misused a vendor’s username and password to break into Home Depot’s network and install a malicious code to obtain customers’ payment card data. The breach affected the customers who used self-checkout terminals of Home Depot stores across the U.S. and Canada. It is also estimated to have affected over 52 million customers’ data.
Health insurer Anthem committed to pay $39.5 million to resolve a class-action suit related to a cyberattack in 2015 that exposed the personal data of nearly 79 million people. The settlement is related to an investigation brought by the U.S. states’ attorneys general, including New York, Indiana, Connecticut, Illinois, Kentucky, Massachusetts, and Missouri. The cyberattack, which, in its time, was considered one of the biggest cybersecurity attacks the nation had ever witnessed, had compromised users’ names, addresses, social security numbers, and medical identification numbers. Anthem also agreed to enhance its ongoing data protection measures.
Atlanta-based consumer credit reporting agency Equifax settled multiple class-action lawsuits this year. In January 2020, the company agreed to pay $380.5 million to resolve a lawsuit, brought forward by the U.S. Federal Trade Commission (FTC), relating to a 2017 data breach that leaked a massive amount of information about more than 147 million people in the U.S. alone. Despite knowing the breach on July 29, 2017, Equifax waited nearly six weeks to disclose the incident to its consumers and investors, after hackers exfiltrated data for 76 days. The class-action members can withdraw up to $20,000 as compensation along with ten years of free credit monitoring services from Equifax.
In April 2020, Equifax resolved another lawsuit with the State of Indiana in a $19.5 million settlement, brought forward by the State’s Attorney General Curtis Hill. The lawsuit concerns the same 2017 data breach that also leaked 3.9 million Indiana residents’ personal information. The lawsuit claimed that Equifax failed to protect its residents’ social security numbers and other private information. As per the settlement, Equifax is also required to correct Indiana’s security deficiencies and safeguard consumer information in the future. Multiple organizations are making the headlines for weakly protected enterprise networks and poor handling of data breaches. It’s high time organizations take information security and compliance very seriously and have strict access controls on the data, or we may continue to see the number rising.
About the Author