The Cost of Cyber Breaches
Earlier this week Merck said that the NotPetya is going to cost them and the numbers are staggering.
In last Friday’s earnings call Merck said that NotPetya has impacted third quarter results to the tune of around $300 million. That includes $135 million in lost sales and $175 million in costs.
But that is not all. They also said that they anticipate a similar impact to revenue and costs in the fourth quarter.
That means in just this year alone, it could cost Merck $600 million plus. It is likely that the costs will not end with the turning of the calendar page to January.
Also likely is that they have cyber insurance, but that might pay $100 million and could be a whole lot less than that. That could leave Merck with having to write a check for a half billion dollars. Or more!
Moving on to the Wannacry attack, The Guardian is reporting that hackers moved 108,000 British Pounds out of a few Bitcoin wallets that people paid ransoms into. Note that this is not what it cost people to deal with Wannacry, but rather what they paid the attackers.
Since Bitcoin is not anonymous (in fact it is anything but, which is why, months later, we know exactly each and every withdrawal from the Bitcoin wallet virtually instantly), the police are tracking those transactions and may be able to figure out who is moving the money.
As the British Health Services (NHS) are doing an after attack review from Wannacry, the story that is coming out is that they could have avoided the attack if they had implemented basic cyber security practices.
As far back as 2014 the Department of Health and the Cabinet told NHS that they needed a robust plan to migrate away from old software (like Windows XP) and in March and April 2017 (a month or two before the attack) NHS Digital issued a critical alert for NHS organizations to install the patches needed to stop Wannacry in its tracks. Those patches were not installed. NHS blamed cost cutting measures from reducing resources needed to manage their systems.
NHS Digital had conducted on site assessments of 88 out of 236 of the health trusts in England.
NONE PASSED.
But NHS Digital has no enforcement powers to make anybody fix the problems.
Bottom line is that these attacks can be tremendously costly and in many cases, simple measures would have mitigated the attacks, possibly completely.
Information for this post came from Tech Republic, The Guardian and another Guardian article.