The costs of a data breach are regularly reported through research such as the annual Verizon Data Breach Investigation Report (DBIR) and the IBM Cost of a Data Breach Report. These cite the average cost of a breach as falling in the $1-10 million USD range. However, just as frequently headlines scream much bigger costs; major incidents where eye watering costs ramp up into the 100s of millions or even billions of dollars.
For cyber risk management it is important to plan for both regular, average incidents but also worst case scenarios. This article walks through three real world cases of major cyber incidents and explains how the large price tags for incidents add up.
The Cost of Business Interruption - Maersk
In 2017 the international shipping and logistics firm Maersk fell victim to the NotPetya ransomware. This caused IT systems to be shut down across multiple sites and business units. The destructive “wiper” virus NotPetya caused nearly 50,000 servers and PCs to be destroyed, leading to a crippling of Maersk’s shipping, container, and logistics operations.
“Their crane operators were unable to load or unload their customers’ wares. With the presence of massive ships carrying over 15,000 containers in their ports, no easy workaround existed for understanding the next steps in moving containers along their shipping routes. Refrigerated units that would normally have to be rapidly transferred between vehicles had to receive temporary power to avoid spoilage, while ports soon became crowded with truckers understandably short on patience as hours of uncertainty dragged on.”
Columbia University NotPetya Case Study
The reconstruction of devices took 10 days, and full recovery took nearly two months. During this time Maersk was forced to revert to manual processes to keep containers moving.
The Risk Management section of Maersk’s annual report from 2017 noted that while recovery was fast, “within a brief period A.P. Moller-Maersk suffered losses in the order of $250-300m USD covering among other things, loss of revenue, IT restoration costs and extraordinary costs related to operations.”
The Cost of a Data Breach - Change Healthcare
Change Healthcare provides billing and insurance services to health care providers, such as hospitals, pharmacies and other medical organizations across the US healthcare sector. In February 2024 Change Healthcare was victim of a ransomware attack that both caused outages to the Change Healthcare services, and also stole the private medical data of approximately 190 million Americans.
The outage caused billing systems at doctors' offices and healthcare practices to stop working, and insurance claims stopped processing. It took nearly two months to restore all relevant systems. Individuals whose data were stolen, were notified by letter, and have been offered two years of credit monitoring and identity theft protection support. Change Healthcare has also had lawsuits filed against it accusing them of security failings.
In their 2024 annual report the direct response costs for the cyberattack are listed as $2.2 billion USD, with total cyberattack impacts listed at over $3 billion. Later updates report further costs.
When speaking with the US Energy and Commerce Committee, United Health CEO Sir Andrew Witty confirmed that the company paid the $22m ransom, though this did not prevent the criminals from publishing some of the stolen data. It is worth nothing that ransom demands and payments in general have continued to increase in recent years. Indeed, the largest single ransom ever paid was reported in 2024 as 75 million USD paid to the Dark Angels ransomware group by an undisclosed Fortune 50 company.
The Cost of CEO Fraud - FACC
The final case concerns social engineering and fraud. Cyber criminals stole approximately 42 million euros ($47 million USD) from Fischer Advanced Composite Components AG (FACC), an Austrian aeronautics company whose customers include Airbus, Boeing and Rolls-Royce.
The company was victim of a “CEO fraud” scam. An employee was fooled by scammers and transferred the money after receiving emailed instructions from someone impersonating the chief executive Walter Stephan. After realizing the error, the company took steps to block the transfer of funds, but were only able to stop the transfer of 10.9 million euros.
The CEO was fired following the incident in 2016 after the supervisory board concluded that he had “severely violated his duties”. The finance chief was also later sacked, though there is no suggestion that either executive was involved in the scam.
Final Words
The Maersk, Change Healthcare, and FACC cases show that in a major incident scenario the financial costs of a cyber attack can exceed the reported average costs by factors of 100 and quickly reach hundreds of millions, if not billions of dollars.
While these cases are certainly extreme incidents, it is crucial for cyber risk management professionals to understand both the large loss costs, which will (hopefully!) happen infrequently, as well as the average costs, which may occur more frequently. Cyber risk quantification provides an approach to quantify both of these metrics along with the associated probabilities.
Whether the consequences are business interruption, a personal data breach, or financial theft / fraud, it is important to realistically model major incident scenarios so that you can understand not just the potential costs, but also what might happen and how to deal with it. Each of these scenarios can be modeled using the Squalify platform.
