The How and the Why of Data Breaches
We already talked about what a data breach is and how it can affect you. What we haven't discussed is how often data breaches happen and what causes them. With the next few paragraphs, we'll try to clear this up.
How much information actually gets leaked?
Yesterday, security company Gemalto released their 2017 Data Breach Level Index Report which states that last year, around 2.6 billion records got exposed. On average, that's 7.1 million records per day, 297 thousand per hour, or nearly 5 thousand every minute. Or is it?
Well, other research firms have put out their own reports on the incidents that led to the exposure of data, and it's fair to say that the numbers don't really match. In fact, they vary wildly. You'd think that putting together the stats for this sort of thing would be a relatively straightforward job, but the amount of information that leaks every day is so huge, that accurately measuring it is anything but easy.
How do companies learn that they've been breached?
There's another factor contributing to the inconsistent research reports. A data breach can have an absolutely devastating effect on a company's reputation. Consumers' data is exposed, and they think (in most cases, rightly so) that it's not handled properly. That's why, sometimes, service providers try to cover up a breach in an attempt to save their faces. Not all of them do it, but we've seen it happen. There's a bit more to it than that, though.
There's a common wisdom among infosec circles that goes like this: "There are two types of organizations: those that have been hacked, and those that don't know it yet." Even if a company is trying to be 100% transparent about the attack it's suffered, it's not always as easy as publishing an announcement featuring the customary "We take security very seriously."
In 2013, for example, Yahoo! got hacked, but it wasn't until February 2017 that the company realized it. And even then, what was once the world's biggest email provider initially thought that only a portion of its users had been affected. Several months later, it turned out that all 3 billion accounts that were active in 2013 had been exposed, making this the largest data breach ever recorded.
The bottom line is that finding out that a system has been compromised isn't as straightforward as you may think. The same goes for investigating the incident.
Who is responsible for all the data breaches?
When you think of a data breach, the image that comes to your mind probably includes binary code, a laptop, and a teenager in a hoodie (the Guy Fawkes mask is optional). Indeed, while they can't agree on how much data gets lost or stolen, most of the research reports point malicious hackers as the cause for the majority of incidents. Spear phishing, clever social engineering, and bleeding edge malware are just some of the tools of their trade, and there's no getting away from the fact that their attacks have evolved quite a bit. But they're not always to blame when information gets leaked. Sometimes, it all comes down to good old human negligence.
Last month, news broke of a White House staffer who first wrote his email address and password on a piece of paper and then left it at a bus stop, sending tidal waves of facepalms the world over. This is the sort of negligence we're talking about, and unfortunately, it doesn't always come from employees who don't have the word "cybersecurity" in their job descriptions.
IT staff, who should know better also make costly mistakes. The data breach Equifax suffered, for example, was caused by a web application vulnerability a patch for which had been available for months. We've also seen companies storing information in unprotected databases that are accessible from anywhere in the world. In most cases, these mistakes are unintentional. Sometimes, however, they aren't.
An employee that is about to quit but isn't happy with their severance pay or a contractor who wants a bigger paycheck. You might not view these people as a particular threat, but a threat they are.
It's all because, as The Economist pointed out last year, data (and that includes your personal data) is the new oil. As long as there are people willing to capitalize on it, there will be data breaches. And there will always be people willing to capitalize on the world's most valuable resource.