Although the largest data breaches take all the headline space– Target, Sony and NASDAQ are three recent ones that spring to mind – it is actually the smaller, non-malicious data breaches that are the biggest risk.
Advisen data shows that most data breaches occur via a laptop computer or mobile device, indicating that employee negligence is a more significant risk factor for information leakages than the high-profile criminal hacking gangs.
Advisen looks at the development of data breach events over time and across industries and asks: What are they? Who conducts them and why? Who is more vulnerable to an attack? What does a breach mean to a corporation?
Data breach is on the way down in terms of overall percentage of cyber events per year.
Advisen defines Digital Data Breach, Loss, or Theft as “Digital breach, distribution, loss, disposal, or theft of personal confidential information, either intentionally or by mistake, in such a way to enable the information to be used or misused by another”.
System or network security violation or disruption is up as a percentage of total events. Advisen defines this type of event as “Unauthorized use of or access to a computer or network, or interference with the operation of same, including virus, worm, malware, digital denial of service (DDOS), etc.”
Using these definitions, there appears to be a growing trend for hackers seeking to disrupt systems for publicity, rather than merely stealing personal information.
For example, 2012 saw a marked increase in “hackivist” activity as well as state sponsored hacking. Hacking group Anonymous increased its activity, and in February 2013, computer firm Mandiant identified the People’s Liberation Army’s Unit 61398 based in Shanghai as the party most likely responsible for hacking over 140 organizations from 2006-2013.
These definitions aside, the graphic shows two main types of cyber attacks accounted for more than 70 percent of total cyber events in 2013.
As stated above, the vast majority of data breach incidents are caused by non-malicious employee negligence.
A 2013 Ponemon Insitute survey shows that employee or contractor negligence and system error or malfunctions are the two primary types of data and security breach incidents experienced by organizations.
Failure to degauss or thoroughly wipe a device containing sensitive or confidential data was the main reason a breach occurred, closely followed by an employee or contractor losing a device containing sensitive or confidential data, according to Ponemon.
SQL injections, targeted attacks and advanced malware were the main causes the malicious breach., the survey said.
However, the largest – and most costly – breaches are malicious acts, perpetrated by larger and more organized groups.
This table shows the top 10 data breaches of all time and highlights a trend toward stealing financial and credit card details from affected customers.
So, why steal this data? The simple answer is two-fold: Credit card information is relatively easy to obtain and easy to use. Also, the re-sale value of such information can be high.
In a January 2014 blog entry, Symantec employee, Marika Pauls Laucht, highlighted findings from a Symantec report on goods offered for sale on the underground economy.
According to the report, prices for credit card numbers ranged from $0.10 to $25 per number, depending on the country of issue of the card, sizes of bulk/discounted packages, and whether or not extra value items such as the CVV2 number [used for identification in not-present transactions] or PIN were included.
“Prices for bank account information ranged from $10 to $1,000 per account, depending on the amount of funds available, the location, and the type of account. Advertised corporate and business accounts were more expensive, as they usually have higher advertised balances,” Laucht continued in his blog.
Symantec estimated that the total potential worth of credit cards and bank accounts available on the underground economy amounted to a staggering $7 billion.
The industry most susceptible to a data breach event is the public administration sector. However, this sector does not lead the board when it comes to the number of people affected by each data breach event.
When an attack occurs, the infrastructure industry (defined by Advisen as transportation, communications, electric, gas and sanitary services) is by far the hardest hit.
The median affected count – a more reliable metric that shows the mid-point of all individuals affected by data breach events in this sector – is 4,500 people for the infrastructure sector.
For public administration, the median number is just 2,500.
Interestingly, the median affected count for the retail trade is just 1,000 individuals, which belies the current headlines for Target, Neiman Marcus and Michaels.
When data is stolen, 66 percent is personal financial data, while 31 percent is private personal data of another nature. Just 4 percent of data stolen is corporate digital assets, according to Advisen data.
Javelin Strategy & Research’s 2013 Identity Fraud Report, cited that 12,600,000 Americans were victims of identity fraud in 2011, a more than 23 percent increase in two years.
Almost half of the post-breach costs incurred by a corporation are related to first party remediation efforts.
A data breach could be paralysing for a business, hitting reputation and share price and costing the firm in lost productivity while focus is on the breach, rather than business. A further 20 percent of costs are related to first party expenses, according to Advisen data.
Most companies will hire forensic and investigative teams to look into the causes of a breach, while also spending significant amounts on additional security measures, post-loss.
A Ponemon Institute Cost of Data Breach study published in March 2012, said the average cost of a data breach per compromised record is $194. However, if the root cause is the result of a malicious insider or attack the average per record cost climbs to $222. While breaches attributed to a negligent insider averages far less at $174 per compromised record.
With the malicious breach, organizations suffered lost time and productivity followed by loss of reputation. Non-malicious data breaches on average were less costly $500,000 vs. $840,000, the study found.
Litigation is also an important factor in increasing the cost of data breaches to organizations.
Advisen’s data breach litigation frequency index the number of lawsuits filed subsequent to a data breach event has increased 2.5 times since the index started in 2006.
Advisen has been tracking the class action lawsuits filed against Target as a result of its 2013 breach.