Not all cyberattacks are created equal: What researchers learned from 103 ‘extreme’ events

Nation-state attackers do more financial damage than one might expect, the Cyentia Institute study found.
Data breach concept art: Getty Images

There’s a relatively small swath of cyberattacks mixed among the more common variety that are truly extreme, costing tens of million of dollars and beyond, or exposing millions of records.

A report out Tuesday identified a little over 100 that fit that description over the past five years. The researchers learned that these massive events cost a median of $47 million and usually came via straightforward hacks or ransomware. They appear to be growing more frequent, and nation-state hackers are behind them to a surprising degree, the report says.

But the report from the Cyentia Insitute, a data science firm, also found that these extreme attacks don’t affect all their targets in the same way. Some cost companies nearly 100 times their revenue, while others were still just a drop in the bucket, costing as little as 0.1 % of their revenue. And the financial, information and manufacturing sectors accounted for more than half of the 103 incidents.

“What was most striking was just the idea that there’s real impact here as to opposed to the theoretical or higher frequency, lower impact events,” said Derek Vadala, CEO of VisibleRisk, which sponsored the study. VisibleRisk is a joint venture of Moody’s, the credit rating agency, and Team8, a venture capital firm.


Many of the findings are just what the researchers anticipated, but there were also unexpected results. Hackers linked to nation-states accounted for 43 percent of the financial losses.

“I knew they were out there. I knew they were a big deal,” said Wade Baker, partner and co-founder of the institute. Baker once led Verizon’s annual data breach report. “I did not expect them to compete with organized criminals in terms of driving overall monetary losses,” he said.

The global 2017 NotPetya attack heavily skewed that figure, accounting for 20 percent of the losses by itself.

Other notable findings:

  • Stolen passwords and other credential-related attacks were responsible for the largest number of incidents and biggest losses, followed by remote access malware.
  • Companies reported the losses to the Securities and Exchange Commission to widely varying degrees, sometimes devoting little attention to them and sometimes differing from public sources in their estimates of their cost.
  • Business interruption costs were the most common kind of costs.

Latest Podcasts