The costs and consequences of a cyberattack have received a great deal of attention in the media. We know that

• Ransom demands have reached $40 million
• Data breach penalties have reached £183 million
• Businesses may be forced to suspend some of their services in the event of a cyberattack
• 36% of lost data could not be recovered on average per attack

While alarming, such a fallout is expected. Businesses understand that a cyberattack is followed by an increase in operating and capital expenditure as part of the recovery and remediation process. However, many organisations are only aware of costs that are usually discussed, such as implementation of new cybersecurity measures including hardware and software upgrades or increase in compliance activities. In addition to these, cyberattacks are also accompanied by other unexpected costs and consequences which also need to be examined. These are not hypotheticals; the examples that follow are based on the real-world impact faced by organisations that have experienced a cyberattack. This compilation illustrates the extent to which a cyberattack can affect an organisation, and emphasises that prevention is better than cure in cybersecurity to avoid both expected and unexpected costs and consequences.

Unexpected Costs

1. Customer Compensation

A Canadian air carrier and tour operator endured multiple delays of disrupted operations due to a cyberattack on a 3^rd party provider. The company paid for its passengers’ stay at hotels and all-inclusive resorts on both sides of the journey and promised to compensate every single passenger for their troubles.

2. Investigation

A school district in the USA spent $300,000 on a forensic investigation following a ransomware attack to conclude that no data had been compromised in the attack. The attack shut schools across the district for two days.

3. Consulting Fees

An American city is spending 145,000 dollars in consulting contracts following a ransomware attack, taking the total mitigation expenditure to $650,000. The full extent of the attack is expected to take a month to determine.

4. Repetition of Work

A police department in the USA has to readd years of report data and contact and call information, including resident history of mental health issues and non-cooperation with officers, following a ransomware attack. Detectives were also forced to revisit several open investigations as computer-stored statements, reports, and other information garnered during the normal course of a criminal inquiry are inaccessible. This repetition of prior work adds to the $300,000 estimate for upgrading affected computers and increasing security measures.

5. Contacting Affected Individuals

Ireland’s national health service is expected to spend €1 million (excluding VAT) in call centre and supporting infrastructure costs to contact individuals whose personal data was stolen in a cyberattack. The ransomware attack has already cost the health service almost €43 million and the cost could eventually rise to €100 million.

Unexpected Consequences

1. Malpractice Lawsuit

A mother in the USA, whose 9-month-old daughter died, is suing the hospital where the child was born for malpractice, claiming the hospital did not inform her of the ransomware attack which prevented proper monitoring of the child’s condition during delivery, leaving the child with severe brain injuries and other problems. The lawsuit claims the mother would have gone to a different and safer hospital for delivery if she had been made aware of the attack.

2. Legal Action from Employees

A cyberattack on an automobile dealer resulted in the attacker accessing personal data of more than 100 employees. The security breach has prompted staff, both current and former employees, to take legal action against their employer, based on fears that National Insurance numbers, bank details, and other personal information could have been compromised in the attack.

3. Poor Reviews

A UK based firm that assists home acquisitions began receiving 1-star reviews following a cyberattack as some home buyers were left homeless because they vacated their old homes but were unable to move into their new residences.

4. Impaired Regulatory Power

A ransomware attack on the Scottish Environment Protection Agency (SEPA) has resulted in the permanent loss of data related to 2019 and 2020 from its national monitoring, compliance, and enforcement databases as well as loss of data on inspections and enforcement action against polluters from staff computers. £42 million of SEPA’s income cannot be verified and £2 million in fees has been written off due to lost records. The cyberattack has raised concerns about extensive damage to the environment as data on big polluters has been lost.

5. Production Shut Down due to Attack on Supplier

One of the world’s largest automobile manufacturers had to shut down all 14 factories in Japan due to a cyberattack on its supplier which discovered a virus and a threatening message after restarting a file server following an error. The shut down affected production of 13,000 vehicles.

6. Impaired Monitoring of Energy Generation

A cyberattack on a major satellite internet provider in Europe affected the remote monitoring and control of 5,800 wind turbines with a total output of 11 gigawatts.

7. Closure

A 157-year-old college in the US, already facing constraints due to the pandemic, was forced to cease operations after a ransomware attack hindered admission activities and blocked the college’s access to crucial data it uses to project its academic and economic future. When it finally regained access to its computer systems, the student enrolment had dropped to an unsustainable level forcing the college to close.

8. Restrictions Imposed by Return to Manual Processes

A ransomware attack locked down a US jail, knocking out security cameras and the automatic door system, requiring staff to manually unlock each cell when detainees needed to get out for exercise or recreation. Inmates had to be temporarily limited to their cells as the lack of security camera coverage created concerns over security.

9. Decrease in Collections

A US government department was forced to postpone two tax sales due to a cyberattack on its data centres. The public auctions are held to help collect unpaid taxes.

10. Diminished Customer Outreach

Hackers accessed the business email account of a dance studio in Australia, which they then used to reset the password of, and take over, the studio’s Instagram account. The studio owner was able to recover the email account but could not recover access to the Instagram account which she used to promote her dance classes, forcing her to start a new Instagram account and rebuild her audience with consequent loss in revenue. The Instagram account was the target of the attack, which the hackers used to request money from, and promote cryptocurrency to, her followers.

Cyberattacks can have varied, and severe, consequences for organisations beyond the immediate and direct costs following the attack. K7 recommends following cybersecurity best practices, training staff on cyber hygiene, and utilising updated cybersecurity solutions, such as K7 Endpoint Security and K7 Network Security, to defend business operations against cyberthreats.