To say that 2014 has been a banner year for data breaches may be an understatement. According to the Identity Theft Resource Center (ITRC), there have been over 700 data breaches reported in the U.S. so far this year, a 26 percent increase over the same time period in 2013. Of the breaches that have been reported this year, the overwhelming majority have affected healthcare entities and businesses. Together, these breaches have resulted in the exposure of more than 81 million records.
While data breaches certainly aren’t a new phenomenon, it seems as if the Target breach that occurred late last year set off a domino effect of intrusions that have continued throughout 2014. This year alone, major breaches have been reported at Home Depot, JPMorgan Chase and the U.S. Postal Service just to name a few. Given the ever-increasing number of retailers, financial services firms, hospitals, and even government agencies that are having their computer networks broken into, does 2015 stand poised to eclipse the breadth and scope of data breaches that have been reported this year?
In an attempt to answer this and other questions, Experian released its “Second Annual Data Breach Industry Forecast,” which highlighted six different trends to watch in 2015. SIW recently spoke with Michael Bruemmer, vice president with the Experian Data Breach Resolution group, to get his take on how these trends will shape the data breach landscape moving forward.
1). Rise-and-Fall of Payment Breaches
Although many retailers have already begun the process of phasing out magstripe payment card readers in favor of chip and PIN point-of-sale devices in anticipation of the October 2015 “liability shift” deadline, Bruemmer believes that the closing of that window may precipitate additional attacks by cyber thieves. Additionally, because the deadline has been announced for some time, Bruemmer said hackers have had a head start on researching chip and PIN terminals to try and figure out their vulnerabilities.
“There may be a switch from brick-and-mortar breaches over to online attacks,” explained Bruemmer. “Because everyone is trying to shift to new technology – you can look back at healthcare seven or eight years ago when the shift from paper records to electronic records started – just that shift in technology created a lot of handoffs of data that opened up loss of data or data breaches.”
2). More Hackers to Target Cloud Data
Recent retail data breaches have drawn more attention to the role employee/vendor negligence plays in these incidents, but Experian expects there will be an increase in breaches next year involving usernames and passwords stored in the cloud. According to Bruemmer, usernames and passwords for privileged and administrator accounts really are the “keys to the castle” when it comes data security as evidenced by their value on the black market. In fact, a study conducted by Juniper Networks and the RAND Corporation found that a Twitter account was more valuable on the black market than a credit card number.
“There’s going to be more focus on passwords, particularly users that have privileged accounts or administrative rights to get into the system,” said Bruemmer. “If you just look at the last 12 months that have been reported and the forensics have been done, it generally comes back to an employee mistake and it is an administrative credential that was compromised, either inadvertently by a phishing scheme, a brute force attack or forgetting to change passwords on a regular basis with companies changing employees and old credentials not being shut down. That, to me, has been the tip of spear in the more high-profile breaches that have been completely reported out in the media and I don’t think that’s going to change going into 2015.
3). Persistent and Growing Threat of Healthcare Breaches
As hospitals and clinics continue to make the transition to electronic medical records (EMR) and with more people adopting wearable technologies (Fitbit, Apple Watch, etc.), the healthcare industry remains a ripe target for data thieves. In fact, more than 42 percent of breaches reported this year, according to the ITRC, have occurred in the medical/healthcare sector.
“The value of healthcare credentials along with other PII (personal identifiable information) is still about four or five times more valuable than non-insurance or non-healthcare-based sensitive information,” explained Bruemmer. “Secondly, you have all of this distributed technology, whether it is through the healthcare exchanges, the switch to electronic medical records or wearable technology… that are all going to contain sensitive information.”
4). C-suite to Face Increased Scrutiny
Shortly after the full details on the Target breach became available, there was a major shakeup in the retailer’s upper management ranks. Not only did the company’s CIO resign in the wake of the breach, but the company’s CEO, who had been with the retail giant for 35 years, also stepped down. Data breaches are no longer just the purview of the CISO or IT department. Because they pose a such as huge risk to the security and bottom line of companies, senior managers are now expected to play an active part in understanding the risks and taking appropriate steps to mitigate them.
“I can tell you that C-suite executives are being held more accountable for data breaches,” Bruemmer said. “One of the surprising things that we found in one of our surveys this year was that 17 percent of senior executives said that they weren’t aware if their organization had a breach or had not had a breach. Interestingly enough, I think that number is really high, but I think that’s changing and I think there’s not many executives now, with all of the high-profile breaches, that can say going forward that they weren’t aware that their organization suffered a breach because they are now being held accountable.”
5). Employee Mistakes Remain the Biggest Threats
Perhaps one of the biggest misnomers about data breaches is that most of them are the result of some sophisticated hacking scheme carried out by criminals half a world away. In reality, the majority of data breaches are the result of employee negligence, such as posting usernames and passwords in plain sight or losing a laptop computer that contains sensitive information.
“Companies are not investing enough in security and privacy training. In fact, a recent survey that we did with the Ponemon Institute found that only 54 percent of organizations conduct regular security and privacy training for their employees,” added Bruemmer. “Even though it sounds great to make these big investments and increase in budget on anti-malware, anti-virus protection, firewalls, etc.; the biggest bang for their buck and a missed opportunity is focusing on good training.”
6). Rise in Third-Party Breaches via the Internet of Things
The concept of the “Internet of Things” in which an ever increasing number of appliances and devices are being connected to the web has taken businesses across a variety of industries by storm. Cisco predicts that by 2020, there will be somewhere between 20 to 50 billion connected devices in use around the world. With this increasing level of connectedness, however, also comes the threat that malicious actors who could exploit it.
“There are so many devices out there that contain personal identity information that cyber-attacks are going to continue to focus on the weak link and the Internet of Things will come more to the forefront in 2015,” Bruemmer said. “Accessibility has trumped security in the development of these devices. When you case a house, you look for the open window. You don’t go to the front door to break it down if you can go in through the window. Using that same analogy, if you can get someone’s personal information, bit-by-bit, like having access to devices where this information is stored, you don’t have to break into their safe or go ahead and break into their brokerage account.”
Click here to download a full copy of the 2015 Data Breach Industry Forecast.