After a bad 2013, the number of disclosed global data breaches rose by another 50 percent last year to reach 1,500, according to Gemalto’s Breach Level Index (BLI) based on publically-disclosed incidents.
Given that news of data breaches is an almost daily occurrence, the record-breaking nature of 2014 won’t come as a surprise to many people, nor the fact that just shy of 800 million of the one billion compromised records (excluding the CyberVors breach - see end note) were in US organisations.
Those records were from 1,107 individual breaches reported, which in terms of incidents put the UK in second place with 117. However, the average UK data breach was much smaller at only 10.2 million records compromised in total, well behind Germany and Australia on 42 million each.
The first issue is how to assess the severity of data breaches – is it size that matters, the number of records taken, type of data in those records, or the extent to which criminals are able to exploit the data they take?
Another issue is how much can be read into publically-disclosed data breaches given that the US and UK have tougher rules on disclosure than other countries and so might only appear to have a bigger problem.
The BLI gives breaches a severity rating which records the top US data breach of 2014, Home Depot, as a ‘10’ for the 109 million records breached. In second place, also on 10, was JPMorgan Chase (83 million records) and eBay (145 million).
Only seven breaches rated at the maximum ‘10’ severity have ever been recorded, five of them in 2014 alone.
In the UK, the top 2014 breach was Mumsnet, given a severity rating of 8.3 for the 1.5 million records potentially compromised, ahead of Affin Bank Berhard at 8.2 for its 1.271 million records and Harley Medical Group on 7.9 for 500,000 records.
Some smaller UK breaches got relatively high ratings because of the type of data compromised. A good example was the 100,000-record internal breach at Morrison’s Supermarket which just happened to be of its entire workforce database.
“Not only are data breach numbers rising, but the breaches are becoming more severe,” commented Gemalto’s VP of cloud services, identity and data protection, Jason Hart, who also put the danger from this into a wider perspective.
“Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we’re starting to see that the universe of risk exposure for the average person is expanding.”
That’s the bit that underlines why breaches matter and aren’t simply an issue for the organisations involved. The lost or stolen data goes somewhere and usually not to a good place. Very little of it can also ever be recovered or erased and could end up affecting ordinary people.
Unfortunately the industry remains fixated on narrow self-interest, more concerned whether financial data is encrypted or not to protect itself against losses than the long-term effect on an consumer should criminals find out names, social security numbers and dates of birth, none of which can be changed the way a credit card number can.
The BLI started life under the auspices of SafeNet, which was bought by Gemalto for $890 million last August.
Note: the BLI website records the 1.2 billion records from the massive CyberVors breach haul, but does not count them for 2014 as a whole. This is because although the breach was discovered in 2014 the records were probably stolen over several previous years.