T-Mobile confirmed last week a huge data breach of customer personal information (PII), after hackers claimed to have broken in via an access point left open to the internet. According to the wireless carrier’s latest count, data for 54 million current, former and prospective customers was stolen.
When all the bills are paid, the breach will most likely have cost the carrier $49 million, the RiskLens Data Science team estimates, though costs could run as high as $537 million. T-Mobile has not released any costs for the breach, but RiskLens' data scientists estimate a range of probable costs, using the quantitative risk assessment techniques that power the RiskLens platform to crunch the numbers from the recent history of data breaches of this type and magnitude.
Data Breach Analysis at RiskLens
For years, the industry standard for estimating the cost of breaches was a simple formula: multiply the number of stolen records by a fixed dollar cost. That led to inaccurate estimates because losses don't scale linearly and it couldn’t capture the nuances of different forms of losses by types of data, industry or other variables, both in terms of probable cost and probable likelihood of occurring.
As an example, T-Mobile says that no customer credit or other financial information (PCI) was breached – a result that greatly reduces the chances of customer lawsuits and therefore legal costs or court judgments, and should keep the overall costs of this breach lower than some others of comparable number of records stolen.
RiskLens has advanced the state of the art in cyber risk data science with a process that combines:
- Analysis of loss data from Advisen (for the T-Mobile analysis, the July Advisen numbers covering similar companies were used)
- Proprietary data collected by RiskLens from its extensive work analyzing cyber risk with Fortune 1000 companies
- FAIR™ (Factor Analysis of Information Risk), the international standard for quantitative risk analysis, created by RiskLens Chief Risk Scientist and Co-Founder, Jack Jones. Learn about FAIR training.
- Monte Carlo simulations of thousands of iterations
- Statistical and econometric modeling – RiskLens presented the details on the model at the most recent conference of the Society of Information Risk Analysts: Estimating Financial Losses From A Data Breach: Log-Log And Logistic Regression With Bernoulli Trials And Monte Carlo Simulations
Detailed Loss Estimates on the T-Mobile Data Breach
RiskLens analysis of the publicly known T-Mobile breach data revealed this distribution for probable loss, based on our modeling and Monte Carlo simulations.
Results of RiskLens analysis are always expressed in ranges as annualized loss exposure (ALE), to give decision-makers a full sense of probable outcomes. The 25th and 75th percentile marks indicate the spread of the middle half of the loss distribution (technically speaking, the inter-quartile range).
Feeding into the top-line numbers were detailed analyses of other parameters that yield these results as Most Likely:
- ·Primary Incident Response Costs $27.8 million
- Fines and Judgements $3.4 million
- Secondary Response Costs (such as paying for customer credit monitoring) $5.7 million
These estimates can change as more data becomes available.
Minimize Your Exposure to Data Breach. First, Do You Really Need So Much Data?
The fact that the large majority of the records breached (47 million) at T-Mobile concerned former or prospective clients has raised questions about whether, as the Wall Street Journal said, “the effects of data breaches are being widened by the amount of data companies gather on consumers.”
We’ve seen in analyses for RiskLens clients that organizations may hoard data that’s not mission-critical without fully understanding their liability. Analysis has shown that simply purging non-critical data can lead to big reductions in risk, especially when paired with good encryption practices and other data-loss prevention measures. Quantitative risk analysis can accurately identify your optimal and most cost-effective strategy for securing your data. Read a case study: Finance Company Assesses Risk of Data Breach from Shared Storage.
Learn more about how RiskLens applies sophisticated risk modeling to cybersecurity risk management – contact us.