The New York Attorney General’s office reported last week that 2013 was a record-breaking year, with more than 900 data breaches at public and private institutions in the state. According to the New York Times, 7.3 million New Yorkers had personal and financial records exposed during those attacks.
The attorney general’s report blamed malicious attacks for the majority of data security intrusions in the state over the past eight years, accounting for about 40% of unauthorized data access.
During 2013, data breaches cost the public and private sectors in the state more than $1.37 billion, the report said. Losses were calculated by assuming that a data breach costs an affiliated company approximately $188 for each person whose data was compromised, a figure published in a 2013 report by the security company Symantec and the Ponemon Institute, which researches information security.
Eric T. Schneiderman, New York’s state attorney general, said, “What’s truly shocking about this report, beyond the fact that hacking is now the greatest threat to our personal information and costs us billions of dollars, is that many of these breaches could have been prevented. If millions of New Yorkers were exposed, one can only imagine how many have been compromised across the nation.”
To put Schneiderman’s claim that many data breaches are preventable in context, consider the Data Breach Index’s calculation that encryption was used in less than 4% of data breaches reported during the second quarter of 2014. On Wednesday, data protection solutions firm SafeNet released its Breach Level Index report (PDF) for the second quarter of 2014, which examined 237 disclosed breaches worldwide. The incidents, which left 175 million customer records of “personal and financial information” exposed, included major breaches like those hitting eBay (145 million records) and the Montana Department of Public Health and Human Services (1.3 million people).
The report revealed that, among the breaches, encryption was only used in 10 out of the 237 incidents. In two of the 10 “secure breaches” (those where strong encryption, authentication solutions or key management was in use, investigations proved that encryption rendered the data useless to the data thieves.
The Q2 2014 report marks the first time that SafeNet noted the incidence of encryption during breaches.
Data Breaches Up >200% in 1st Half of 2014
In the first half of this year, 381 reported breaches led to the exposure of 10,879,404 individual records in the United States, according to a new report from the Identity Theft Resource Center. That’s equivalent to 2.1 breaches and 60,107 records exposed per day, not counting the breaches that were never reported. With that perspective on the scale of the problem, here’s a roundup of some of the notable breaches from the past week, with leaked data ranging from confidential BBC reports to baseball trade deals.
According to publicly available information collected in the Breach Level Index there were 254 data breaches and more than 200 million data records lost or stolen in the first three months of 2014. This was an increase of 233% over the same time period in 2013. Of the 254 data breaches that occurred, only 1% were “secure breaches” or breaches where strong encryption, key management and/or authentication solutions rendered the data useless.
On average in 2014, data records are being lost or stolen at the rate of more than:
- 70 million records every month
- 2 million records every day
- 93,000 records every hour
46% of data breaches did not disclose how many data records were lost or stolen. In addition, many data breaches are never reported because they may be unknown to affected companies or organizations or contain records that are not sensitive enough to require notification to affected customers or users.
The Identity Theft Resource Center (IDTRC) reported 431 reported breaches in the U.S. during the first half of 2014, with more than 11,077,809 individuals facing possible identity theft as a result of exposed personal or financial data. The IDTRC collects and reports on data breaches in which an individual’s name plus Social Security Number (SSN), driver’s license number, medical record, or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format.
A worrying number of those breaches involved minors, the center said, since they involved schools in Colorado, Maryland, Missouri, Pennsylvania and Texas. In fact, almost 10% of all data breaches are now in education, which has been slow to adopt encryption technologies that could protect student data, the report says.
Securing the Breach
The key to protecting sensitive data, especially in a BYOD environment, is to switch the focus from protecting the network to protecting the data, says Jared Hansen, CEO and founder of Breezy, the leading secure mobile printing solutions provider.
“Traditional network breach protection – firewall, intrusion protection system (IPS), antivirus, Web filtering – doesn’t work anymore to prevent data breaches. That’s because the traditional network perimeter no longer exists in today’s world,” Hansen explains.
It’s a given that you can’t keep data thieves off your network forever, especially since malicious insiders claimed the top spot for record breaches during the first quarter of 2014. A malicious insider is a user who is authorized to use the network – an employee, contractor, or guest – who knowingly steals data.
Hansen says that the key to protecting data is no longer preventing a breach, but securing data so that even when a breach occurs, the data is useless to criminals. “Data that’s encrypted on the storage device is useless to a data thief. That’s why on-device encryption is the best protection against all kinds of data breaches, including malicious insiders. The data thief needs both parts of the encryption key to make sense of the data, and since the keys don’t reside on the same place and are designed to be used only in specific instances such as when an encrypted document is sent to an approved printer, it’s the most secure data protection scheme available.”