Cyber attacks can be devastating. Not only do they put a company’s reputation at risk, but they can also lead to sensitive data being passed to criminals on the dark web, potentially impacting the lives of millions of unknowing victims.
At the same time, cyber attacks and data breaches can be incredibly expensive. From recovery costs to compliance penalties and fines, companies are often forced to pay out tens if not hundreds of thousands of dollars following an attack.
But how costly can a cyber attack really get?
Why are cyber attacks so costly?
Cyber attacks are expensive because they don’t just cause immediate disruption, but also long-term damage.
A single cyber attack can shut down an organization’s critical systems and grind entire businesses to a halt. This leads to lost sales, missed deadlines, and a general drain on productivity. Imagine a supermarket being unable to access its payment systems due to ransomware – that's a costly disruption.
At the same time, cyber-attacks and data breaches erode trust in an organization. Customers may be hesitant to do business with a company that can't safeguard their personal information. Rebuilding a damaged reputation takes time and money.
The impact of a cyber attack can also linger for months or even years. Companies may need to offer credit monitoring or refunds to affected customers and there’s the ongoing cost of beefing up cybersecurity measures to prevent future attacks.
That doesn’t include the legal costs associated with breaking security and data compliance regulations, either. Recent research by ISMS.online revealed that a single cyber attack costs UK businesses an average of £237,432 in fines after a data breach due to a violation of data protection laws following an incident.
And a 2023 IBM report revealed that over half of organizations are also required to increase security investments as a result of a breach, including incident response (IR) planning and testing, employee training, and adopting threat detection and response tools.
Most Expensive Cyber Attacks and Data Breaches in History
With attacks becoming increasingly common and more sophisticated, more and more companies are falling victim to attacks in 2024 – and those that aren’t are splashing out big bucks to protect themselves against the risk.
Each one of these attacks is becoming more expensive, with some recent attacks ranking amongst some of the costliest cyber attacks ever. But how expensive can a cyber attack get?
In this list, we’re counting down ten of the most expensive cyber attacks in history, exploring the costly impact each data breach had on its victims.
Uber – $148 Million
We kick off our list with Uber, who in 2016 was the subject of one of the most notorious cyber-attacks of the past decade when threat actors gained access to the personal information of 57 million riders and drivers of the car-sharing app. The hackers were able to compromise internal cloud storage where driver and rider data was stored, allowing them to steal sensitive information including names, email addresses, phone numbers, and in some cases, driver's license numbers. Upon discovering the breach, Uber made the decision to pay the hackers $100,000 to delete the stolen data and keep the breach quiet – a move that was heavily criticized as it violated legal cybersecurity standards and failed to promptly inform affected individuals.
Regulatory agencies and authorities took swift action against Uber once the breach became public knowledge – and Uber was fined a staggering $148 million for its mishandling of the incident. The penalty reflected the severity of the company's missteps and underscored the importance of timely and transparent communication in the event of a data breach. It also served as a deterrent to other companies, highlighting the potential consequences of negligence or deliberate attempts to conceal such incidents. The incident had a long-lasting impact on Uber's reputation, leading to a decline in user trust and a potential loss of market share.
Sony PlayStation Network – $171 Million
On April 22, 2011, following two days of blackout on its Playstation Network, Sony revealed in a blog post that an "external intrusion" had taken its PSN and Qriocity service down. The intrusion, which took place between April 17 and April 19, was later discovered to have exposed the sensitive data of 77 million PSN users, including emails, addresses and credit card information. To mitigate the fallout, Sony took immediate action by shutting down the PSN and engaging forensic experts to investigate the breach. They also offered affected users free credit monitoring services and implemented additional security measures to prevent future attacks.
But as news of the breach spread, Sony faced backlash for its inadequate security measures and the delayed disclosure of the breach. This delay further exacerbated the damage caused by the attack, leaving its user base vulnerable to potential identity theft and fraud for days while Sony tried to cover up the incident. In the end, the cost for Sony was staggering, with the estimated cost of the cyber attack on Sony's PSN amounting to a staggering $171 million. This figure includes expenses related to network downtime, investigations, security enhancements, customer support, legal fees, and settlement payouts. The incident also had a long-lasting impact on Sony's reputation and brand image, which led to a decline in customer trust that would last for years and subsequent financial losses. Not only is the Sony Platstation Network attack on of the costliest, but also one of the most notorious cyber attacks in history.
Hannaford Bros – $252 Million
Next up we have the US-based supermarket chain Hannaford Bros, which in 2007 fell victim to a devastating cyber attack that would become known as one of the. This attack stands as one of the most significant breaches in the retail industry. Hackers were able to spread malware to all of Hannaford’s 300 country-wide stores along with a number of independent stores selling Hannaford products. This gained them unauthorised access to sensitive customer data, including credit and debit card information from more than 4.2 million transactions, with at least t least 1,800 of which later being used for fraudulent purposes.
The aftermath of the attack was marked by intense scrutiny and criticism directed at Hannaford Bros. Customers and the public expressed outrage and concern over the breach, demanding transparency, accountability, and assurances regarding the protection of their personal information. In the end, the impact on the retail giant was immense. The estimated cost of the cyber attack reached a staggering $252 million, encompassing various expenses incurred in the aftermath of the breach. These expenses included investigations, customer notifications, legal fees, credit monitoring services, and potential settlements with financial institutions and affected customers.
TJX – $256 Million
Today TJX s known for its multinational Clothing stores TJ Maxx and TK Maxx, but in 2007 the retail giant was involved in one the largest cyberattacks of its time. The breach saw hackers steal roughly 45.7 million credit and debit card numbers over a period of 18 months through the exploitation of vulnerabilities in TJX's wireless network that gave them access to the company's payment processing systems. Once inside, the attackers were able to instal malware that enabled them to intercept and collect sensitive financial data from customers' transactions while being undetected. The full extent of the breach only became apparent in early 2007 when several banks and credit card companies noticed a significant increase in fraudulent transactions linked to TJ Maxx.
After an internal and external investigation, TJX determined it had threat actors inside its IT systems for nearly 18 months from July 2005 through to December 2006. TJX reported this to authorities in January 2007, but the US Federal Trade Commission soon filed a complaint against TJX alleging the company stored personal data in clear text and transmitted data between and within the business and company networks, generating unnecessary risks to personal customer data. TJX estimated that the incident cost them approximately $256 million, including expenses related to investigating the breach, improving security infrastructure, and settling legal claims.
Target – $300 Million
The third attack on a retail giant on this list, Target’s 2013 data breach stands as one of the most notorious security breaches in history – and the biggest in the retail sector. Over the course of two weeks starting in November 2013, threat actors were able to steal a staggering 40 million credit and debit records and 70 million Target customer records by attacking a third-party vendor connected to Target's systems. The hackers initially infiltrated Target's network by compromising the credentials of a third-party HVAC vendor. From there, they were able to traverse the network, locate the POS systems, and install malware that captured payment card data during transactions. By the time the breach was finally discovered, hackers already had begun to sell their tremendous data haul on black-market fraud websites.
In the wake of the breach, customers became increasingly wary of the security of their personal information, resulting in apprehension about making purchases from Target. This loss of faith in data security can have severe consequences for any company affected by a breach, as seen in similar instances such as the Sony PlayStation and TJX breach. But this was just the beginning. As well as lost profits, costs associated with the breach topped $200 million by mid-February 2014. These costs would rise significantly due to bank reimbursement demands, regulatory fines, and direct customer service costs. About 90 lawsuits were filed, leading to massive lawyer bills. Today, the total cost of the attack sits at roughly $300 million.
Yahoo – $470 Million
When Yahoo revealed in December 2016 that a staggering breach of its systems had resulted in hackers stealing a billion user accounts, it came as a shocking revelation. But the severity of the situation quickly escalated some months later, when it was discovered that not only had Yahoo experienced another breach – separate from the previous one – but that the combined breaches exposed the details of Yahhoo’s entire 3 billion user base. The first breach occurred in 2013 when attackers infiltrated Yahoo's systems and stole sensitive user information, including names, email addresses, telephone numbers, and hashed passwords of Yahoo’s users. This second breach, which occurred less than a year later compromised the accounts of around 500 million users and involved a state-sponsored hacking group. This cyber gang accessed Yahoo's systems and stole user data and stole encrypted passwords.
Yahoo’s double breach shocked the tech industry at the time and raised concerns about the security practices and measures in place at Yahoo, which was 3 years too late in exposing the hack. The double hack would ultimately cost Yahoo estimated expenses of roughly $470 million including investigation costs, remediation efforts, legal settlements, and damage control measures.
Veteran’s Affairs – up to $500 Million
In 2006, the United States Department of Veteran Affairs (VA) suffered a significant cyber incident that remains one of the largest and most expensive data breaches in government history. The breach was set in motion when a Maryland employee took home a laptop and external hard drive containing sensitive personal information of approximately 26.5 million veterans and active-duty military personnel. When his house was burgled, the robbers stole the computer equipment and were able to access the VA’s hard drive, giving them access to names, Social Security numbers, dates of birth, and in some cases, even medical records of the 26.5 million veterans and their spouses.
The breach served as a wake-up call for the government, highlighting the urgent need for enhanced cybersecurity measures and stricter protocols for handling sensitive data. Following the incident, the VA implemented a series of reforms to improve data security, including increased encryption requirements, enhanced employee training, and stricter policies regarding the use of portable devices. But this was too little too late. The incident is estimated to have cost VA up to $500 million in expenses associated with notifying affected individuals, providing credit monitoring services, legal settlements, improving security infrastructure, and implementing measures to prevent future breaches.
Equifax – $1.4 Billion
One of the most damaging breaches in history, the attack on the credit monitoring behemoth Equifax saw hackers compromise the sensitive data of 147 million individuals globally from May through July of 2017. The attackers were able to gain access to multiple Equifax databases containing information including names, Social Security numbers, birth dates, addresses, and even driver's license numbers, leaving those impacted vulnerable to identity theft and financial fraud. Equifax’s attackers encrypted the data they were moving in order to make it harder for admins to discover, and while Equifax had tools that decrypted, analyzed, and then re-encrypted internal network traffic, it had failed to renew one of their certificates nearly 10 months previously – which meant that encrypted traffic wasn’t being inspected. It wasn’t until July 2019, that Equifax renewed the certificate, at which point administrators almost immediately began noticing all that previously obfuscated suspicious activity.
The financial ramifications of the Equifax breach were substantial and wide-ranging. Equifax faced considerable expenses related to investigation and remediation efforts, legal fees, regulatory penalties, and settlement costs. The breach also had long-term consequences for the company's reputation and stock value, as it eroded public trust and raised concerns about Equifax's ability to protect consumer data effectively. Following the breach, the upper ranks of Equifax’s C-suite rapidly turned over. That doesn’t mean the Equifax breach cost the company nothing, though. Two years after the breach, the company revealed it had spent a whopping $1.4 billion in cleanup costs, making it one of the most expensive data breaches in history.
Epsilon – $4 Billion
When Epsilon – the world’s largest permission-based email marketing company – was struck by a database hack in 2011, the business world was not ready for an incident of such magnitude. In what is considered the largest attack of its time, threat actors hacked Epsilon’s database and stole customer records from 75 of its biggest clients, including the likes of JP Morgan Chase, Best Buy, and Target. This resulted in the names and Email addresses of 2% of the associated customers being compromised – and while that seems minute, the sheer scale of available data means some 250 million people were impacted. The attack was such a disaster for Epsilon that the Secret Service was forced to get involved, and Epilson lost an estimated $45 million worth of clients in a matter of days after the attack.
In the aftermath of the incident, Epsilon was warned about the increased potential for hacks and tightened security, but were not fined as they met regulatory compliance for notification. While an exact cost estimate for the Epsilon breach is challenging to ascertain, it is widely regarded as one of the most expensive cyber attacks due to its cumulative financial impact on numerous organizations across various industries. Epsilon itself ended up paying an estimated $225 million in costs and its 75 affected clients paid around $410 million. When you include forensic audits, monitoring, litigation and lost business, the total cost of the attack is estimated to be as much as $4 billion.
NotPetya/ExPetr – $10 Billion
Unlike other entries on this list, the most expensive cyber attack doesn’t relate to a single organisation, but a string of companies involved in a global malware campaign known as ExPetr or NotPetya in 2017. The attack leveraged a sophisticated malware strain that spread rapidly across networks from the initially targeted area of Ukraine to the entire world. Infected computers were locked and their users could no longer access any files until they paid a ransom of $300 in Bitcoins. The malware encrypted files on infected systems, rendering them inaccessible, and demanded a ransom for their release. However, even paying the ransom did not result in data recovery, as the decryption mechanism was poorly implemented.
The financial impact of NotPetya/ExPetr was significant due to the widespread disruption it caused. Numerous organisations, including multinational corporations and critical infrastructure providers, suffered severe operational and financial losses. The attack also disrupted global supply chains, affecting production, shipping, and logistics, and many companies incurred substantial costs to restore their systems and data, rebuild networks, and implement enhanced cybersecurity measures to prevent future incidents. Put all of these costs together and the NotPetya/ExPetr is the most expensive cyber attack to date. Insurance companies reported claims in the hundreds of millions of dollars, with some estimates reaching billions for single claims.