What are the most expensive cyber attacks of all time?
Story by
May 6, 2022
Not only can a cyberattack be detrimental to your company’s reputation, but they can also be very expensive. Here at Business Leader, we are currently running our cyber security month, so for this week’s Business Leader Top 12, we took a closer look at the most expensive cyberattacks of all time.
However, if you believe we have missed a company from our list, please send an email to info@businessleader.co.uk and we will add them in.
This list is ranked in order of least to most expensive cyberattack.
Crelan Bank – CEO fraud – £57 million
CEO fraud is a sophisticated social engineering email scam and in 2016, Belgium-based Crelan Bank managed to lose £57 million after falling victim to this type of scheme.
This particular attack saw hackers gain access to the email account of a high-level executive, which they used to imitate the email account of the CEO by masking the sender as the CEO. After doing this, hackers instructed employees to transfer money into a bank account controlled by them, and walked away with £57 million.
Google and Facebook – Fake invoice emails – £75.5 million
A hacker named Evaldas Rimasauska managed to swindle two of the biggest companies in the digital world out of a whopping £75.5 million when he posed as Quanta, a Taiwan-based company that Facebook and Google used as a vendor. He did this by sending both companies fake invoices and getting them to wire him money.
Rimasauska was later convicted of wire fraud, whilst Facebook and Google managed to recover nearly half of the money he stole, meaning nearly £40 million was lost.
Sony Pictures Entertainment – Malware – £80 million
Back in late November 2014, a group of hackers calling themselves “Guardians of Peace” spent at least two months copying critical files from Sony’s servers after using various types of malware to hack the mass media giant.
The hack resulted in the leak of five Sony Pictures’ movies along with the confidential data of about 47,000 current and former Sony employees, whilst the hackers claim to have stolen 100 terabytes of data in total. To make matters worse, the guardians later erased all of Sony’s data, costing the company $100 million (£80 million) in clean-up and data recovery costs.
Anthem Inc. – Phishing attack – £80 million
In 2015, Anthem Inc., one of the largest health insurance providers in the US, had their cloud storage hit by hackers, resulting in the personal information of 80 million people being leaked. Anthem say they believe the attack began after phishing emails were sent to a handful of employees and tricked them into visiting malicious websites or executing malware.
The personal information stolen by the hackers included social security numbers, names and more, meaning there was a risk of identity theft. Estimated costs by the health insurer were more than $100 million (£80 million).
Heartland Payment Systems – Malware – £112 million
US-based payment processor Heartland found themselves the victims of a malicious form of malware back in 2008. The malware managed to steal more than 130 million debit and credit card numbers after breaching their system in 2008, but it wasn’t until 2009 that Heartland learned that they had been hacked.
A total estimated cost of $140 million (£112 million) made it the most expensive data breach at the time, whilst hacker Albert Gonzalez received a 20-year prison sentence for his role in the cyberattack.
TK Maxx – poor wireless LAN security – £129 million
Incredibly, retail giant TK Maxx was hit by the same group of hackers that hit Heartland Payment Systems. The company had reportedly secured its wireless local area network (LAN) using Wired Equivalent Privacy (WEP), one of the weakest forms of security for that type of network.
As a result, the hackers managed to steal millions of credit card numbers throughout 2005 and 2006, originally causing the retailer $118 million (£94 million) in damages, although this figure has since risen to $162 million (£129 million) as a result of the aftereffects.
Sony PlayStation – Data breach – £137 million
The second appearance for the Japanese tech giant on this list. Back in 2011, Sony had their digital network broken into, resulting in hackers acquiring access to more than 100 million online accounts. Their PlayStation Online service was also forced to shut down temporarily.
Sony lost $171 million (£137 million) because of the data breach, with identity theft insurance, security improvements, customer support, and investigation accounting for the damages incurred. However, the devastating blow caused to the company’s image meant billions were also lost in revenue.
Hannaford Bros – Malware – £201 million
US supermarket chain Hannaford had their main servers hit by a Russian/Ukrainian hacker group in 2007, with the hackers managing to spread malware to all 300 of the company’s shops along with a number of independent shops who sold Hannaford products.
The mass data breach resulted in 4.2 million Hannaford customer credit card numbers being stolen, at least 1,800 of which were used for fraudulent purposes. The total estimated cost of the attack stands at $252 million (£201 million).
Veterans Administration – Failure to encrypt data – £400 million
After the Veterans Administration failed to encrypt the records of 26.5 million veterans, military personnel and their families back in 2006, the database containing all these records was stolen. To make matters worse, the unencrypted data was left on a laptop and external hard drive, resulting in not only a huge public backlash but also estimated costs of $100 million ($80 million) to $500 million (£400 million).
Mafiaboy – DDos attack – £801 million
Back at the turn of the millennium, a 15-year-old named Michael Calce carried out a distributed denial-of-service (DDoS) attack on various high-profile websites, including Amazon, CNN, eBay, Yahoo!, and Dell. Operating under the online name Mafiaboy, Calce used a group of university networks to overwhelm these sites with information, causing companies to lose $1 billion (£801 million).
Epsilon – Name and email address breach – £3.1 billion
In 2011, email marketing giant Epsilon was hit by hackers who managed to steal thousands of names and email addresses. This affected up to 75 clients of Epsilon, including Best Buy, JPMorgan Chase and Target, which faced costs nearly $5 million in customer notification, settlement, and compliance costs. In total, Epsilon has lost up to $4 billion (£3.1 billion) as a result of the hack.
ExPetr – Malware – £7.9 billion
ExPetr, also known as NotPeta, is a complicated type of malware that simultaneously used several exploits – codes that take advantage of a software vulnerability or security flaw – to spread around the world, despite only initially targeting Ukraine.
The exploits utilised by the hackers included EternalBlue and EternalRomance, the Mimikatz research tool, and business software MeDoc, which they used to lock infected computers so users could not access any files until paying a $300 ransom in Bitcoins. Taking place in 2017, hackers stole $10 billion (£7.9 billion), making ExPetr the most expensive cyberattack ever.
