Cyentia Institute and RiskRecon released a research that quantifies how a multi-party data breach impacts many organizations in today’s interconnected digital world.
The study is based on an analysis of 897 multi-party breaches involving three or more interrelated companies.
The impact of multi-party data breach events
- 897 multi-party data breach incidents, also referred to as ripple events, have been observed since 2008.
- 147 newly uncovered ripples were observed across the entire data set, with 108 occurring in the last three years.
- A median ripple breach event causes 10x the financial damage of a traditional single-party breach.
- The worst of the multi-party data breach events causes 26x the financial damage of the worst single-party breach.
- It takes 379 days for a typical ripple event to impact 75% of its downstream victims.
- The median number of organizations impacted by ripple events across the data set was 4.
Creating a ripple effect across numerous organizations
Data breaches and security exposures are bad enough when they impact one or two businesses at a time. But in today’s interconnected digital world, we’re seeing an increasing number of security exposures that create a ripple effect across numerous organizations.
The growing body of observational data across more than a decade of publicly reported breaches points to how widely the waves of impact from a security incident at a single organization can spread across industries and other individual organizations.
One breach at a technology service provider, for example, could expose the records of hundreds of their business customers if the system is central to the services they provide. Additionally, the security weaknesses of so-called Nth parties—4th party, 5th party, and so on across the business value stream—can and do affect organizations that do not necessarily do business with them directly.
The SolarWinds incident stands foremost among them, providing the strongest anecdotal evidence and warning of how a damaging ripple event can unfold. The argument here is that SolarWinds was not an anomaly or a singular event, and we’ve got the data and stories to prove it.