2013 Was the Worst Year for Data Breaches

The Online Trust Alliance (OTA) yesterday announced its 2014 Data Protection & Breach Readiness Guide, and within it were some statistics that truly boggle the mind. Working on data from the Open Security Foundation and the Privacy Rights Clearinghouse, the OTA estimated that over 740 million online records were exposed in 2013, the worst year for data breaches in history. That's stark news in advance of Data Privacy Day, which is coming January 28.

In the first half of 2013, there were around 500 data breaches, 89 percent of which the OTA concluded were avoidable. Many businesses and organizations didn't have even the most basic security controls in place, never mind enforce the best data protection practices.

Other statistics highlighted in the report included information that 31 percent of incidents were due to insider threats or mistakes; 21 percent resulted from the loss of computers, hard drives, and paper documents; 76 percent were due to weak or stolen account logins and passwords; and 29 percent of compromises resulted from social engineering—that is, tricking administrators and account holders into giving up their account credentials.

“Data breaches are nothing new and have been around for quite some time; however, what we are seeing is a significant increase in incidents that not only harm consumers, but businesses as well, leading to a breakdown in consumer trust,” said Tim Rohrbaugh, VP of Information Security for Intersections Inc. and OTA Board Member. “Having a rigid, black and white approach to security controls and monitoring and being unprepared for an incident will cost businesses more in the end."

In the guide, the OTA highlighted the Target hack as a "perfect storm," where "victims include not only the consumer, but also the 
business breached and the banks whose credit and debit cards have been compromised." This type of event can create what they call a long-term "business shock," where sales fall, brand strength diminishes, and partnerships collapses, amongst other things. (On Data Privacy Day, the OTA will host workshops in Seattle, San Francisco and New York City, where they will instruct attendees on best security practices.)

"Viewing data breaches as a 'technical issue' is a recipe for failure," wrote the OTA in the guide. In their opinion, the issue of security goes well beyond IT departments. Every department within an organization or business should be involved in readiness planning for security. Which, of course, makes sense since some people just don't know what the hell they're doing with data on a day-to-day basis.

The OTA noted that several considerations must now go into data security. For one, the blurring of the lines between home and workplace has created security vulnerabilities. Data generated by an employee may be safe at a business or organization's headquarters, but at home it's exposed to cyber-criminals. Multiple new devices (smartphones, tablets, etc.) and platforms have also created security risks, creating more points of attack for hackers.

Online Trust Alliance President Craig Spiezle told me that users need to take a more holistic view of privacy and security. "In today’s data driven economy, your data strategy can be a competitive advantage, but only if you are good stewards of the data," he explained. "Being compliant is not good enough. On an ongoing basis re-evaluate the business purposes of collecting and storing data; review which employees needs to have access; and review the policies of your cloud providers."

Spiezle recommends encryption at the very point of data collection and on through data's entire life cycle. Organizations should also continually re-test all sites and mobile apps running SSL (Secure Sockets Layer) security, the protocol that encrypts traffic over the internet. "Keep production systems and data stores isolated," added Spiezle. "Segment and silo data by regions or other attributes to minimize threats impacting a company systematically." More to the point, assume that your company will be breached and plan accordingly. Think of it as doomsday prepping for the data-driven world.

"We need to understand the criminal will continue to evolve and innovate, and as businesses we need to maximize not only protection, but equally as important detection and mitigation strategies," Spiezle said, noting that the long-term costs for lax security will outweigh any short term spending on data protection. "Obviously consumer remediation is important, but lawsuits, regulatory oversight, and consumer remorse can have a significant impact on a company’s bottom line and stock holders."

Spiezle also expects to see an increase in "whaling," which are hacking efforts targeted at high net worth executives and their families. "Criminals follow the money and are becoming sophisticated masters of data analysis," he said. "This year alone we have seen over a five-fold increase in the number of credit cards and social security numbers compromised. With Target, we expect 2013 to be around 155 million."

Though the guide is aimed at businesses and organizations, it would be advisable for every-day internet users to also think as proactively when it comes to data security. Every single user is a potential victim of online theft and fraud. Simple things like regularly changing logins and passwords are essential to maintaining the integrity of account information.

People also exchange account information through emails and texts, which is another recipe for failure. Once a cyber-criminal has account information, they could conceivably use tricky social engineering to gain access to a person's other online accounts. While it might be difficult to hack a person's online banking account in this way, it's certainly not outside the realm of possibility. Speaking of which, disabling the "remember your computer" function, which allows users to bypass security questions on online bank account login pages, is a wise move.

Also, over-sharing on social media—birthdays, names of relatives, etc.—is added ammunition for malicious hackers. Say an online account login asks for the user's mom's maiden name as a security question; if a user previously posted that information via Facebook, for example, it could be exploited. Oh, and backup data on multiple devices in case its stolen. And pay attention on Data Privacy Day. You might learn something.