The cost of a security breach

Back in 2017, the Atlanta-based credit monitoring company Equifax was hacked. Equifax had been using an outdated version of the Java Apache Struts library in their system, making it possible for malicious actors to infiltrate their system through a known vulnerability. As a result of the breach, the company exposed the personal details of 143 million Americans.

Recently Equifax settled the resulting class-action lawsuit for $380.5 million US dollars.

Return on investment

Everyone understands that security is important, but our actions don’t always follow. The discussion on these matters is always more or less about costs, with questions like: “How much should we invest in security?”,  “What is the value one gets?” and “What is the return on investment?”. The return on investment is basically as simple as “do not get breached.” This is why companies need to make security investments to prevent getting breached. How much you should invest in security is a difficult question to answer and is always debatable. But let’s look at it from a different angle: “What kind of data do you own?”, “How important is your system?” and “What are the costs, if you do get breached?

It’s important to keep in mind that security measures are not just a one-time effort. As much as we need to think about scalability, maintainability, and reliability during our Software Development Life Cycle (SDLC), security is, and always will be, an ongoing job.

Known vulnerability

The Equifax breach was made possible by a known vulnerability in an open source package they used. More information and technical detail about this breach can be found in this blog post. 

The vulnerability was already found, disclosed, and fixed in a newer version of Apache Struts, even before Equifax got breached. However, if you ignore the known security vulnerabilities in your libraries, you risk a breach similar to the one Equifax experienced.

The Equifax case shows us how costly security breaches are. As around 60 percent of the adult population in the US was affected by this breach, the total compensation package for Equifax is expected to be as high as $700 million US dollars. People who are affected and eligible for compensation can claim up to $20,000 US dollars each. 

But even if you don’t get a $380.5 million lawsuit to settle, getting breached generally has unfavorable business implications. Without public trust, most companies never bounce back from such tragic security incidents.

Scanning for known vulnerabilities

Regularly scanning your projects for known vulnerabilities in open source packages you use goes a long way in preventing a breach like the one described above. Including vulnerability scanning as an integral part of your Secure SDLC helps you prevent security breaches by known vulnerabilities and avoid the, potentially, significant costs of such an accident.