Data breaches are a bad thing but are some worse than others in a way that can be measured objectively?
Encryption firm SafeNet believes its new Breach Level Index (BLI), developed jointly with security analyst Richard Stiennon’s IT-Harvest, offers a solution. Covering 2013, the 575,486,661 records breached offers a disturbing new high-water mark for what we know has been happening even if it covers only incidents that were publically-disclosed.
But instead of simply ranking publically-disclosed breaches by the number of records compromised, the BLI sets out to order them as one might for earthquakes or hurricanes, using a logarithmic scale.
Using that, the recent Target and Adobe breaches (a combined total of 262 million records) score a maximum 10.0, the Evernote breach from earlier in the year (50 million) scores 8.8, while the relatively tiny MacRumours forum break-in (860,000 records) is a 7.8.
This means that "a score of 7 is 100 times more severe than a score of 5,” to borrow the SafeNet’s own description of how its scientific methodology works. One danger in this approach is that people don’t understand data breach logarithms any more than they understand the Richter scale for earthquakes; a 7 sounds worse than a 5 but not 100 times worse.
Another issue is that a quick check of the BLI database shows that severity (i.e the rating) lines up with breach size, a long-winded way of saying that the most massive data breaches are overwhelmingly the most severe.
For breaches, big is always bad but sometimes simply very bad.
SafeNet still thinks it has hit on something. “Not all breaches are created or should be treated alike. The Breach Level Index helps us track and differentiate between an insecure breach, in which customer data is compromised and lost, and a secure breach, where data is stolen but cannot be deciphered by cybercriminals because it is encrypted, rendering it useless to them,” said SafeNet’s vice president of cloud solutions, Jason Hart.
Interestingly, the BLI’s sector breakdown accords roughly with 2013 numbers from US non-profit, the Identity Theft Resource Center (ITRC) in that sectors such as healthcare report a large number of individual breach incidents (31 percent) that account for only a small number of records (2 percent).
In contrast, the tech sector has relatively few breaches (11 percent), but these tend to be much larger (43 percent of the records), giving an average of 5.7 million records per breach. This matters because it tells us something about the state of the databases held in these sectors; healthcare holds databases that are fragmented and smaller while technology firms have consolidated these into super-databases. It follows that fragmented databases are harder to protect but offer hackers fewer records when compromised.
Despite its proprietary methodology, the BLI still does the useful job of cataloguing publically disclosed data breaches, not just from the US (which has good breach disclosure laws) but across the world. It is also a useful source for information that tends to be fragmented across different websites.
For the UK, the team behind the BLI have extracted a figure of 1,699,821 UK data records compromised in 2013 although it is not yet possible to see the data broek down by country on the website itself (that feature is promised for the future).
There remains a vast amount of work to be done. SafeNet admits that the apparently shocking 575 million figure is a marked under-estimate because 44 percent of breaches it researched didn’t mention how many records were involved. Many other never come to light at all.
The firm’s ambition is that organisations will use the Index with their own breach data, getting a risk assessment score of severity at the end. This is more marketing than substance because nobody needs a website to know that losing half a million customer records to a hacker is likely to result in a score somewhere between a 7 and an 8, i.e. bad.