Two SafeNet Surveys Show It is Pretty Ugly Out There Regarding Data Breaches

We all know from reading the drum beat of headlines that both the frequency and sophistication of data breaches unfortunately continue to increase. Confirmation of just how ugly things are comes in the latest highlights (maybe a better word would be “details”) contained in the release by security solutions provider SafeNet (News - Alert) of not one but two surveys highlighting the level and nature of data breaches along with consumer attitudes about them.

 The SafeNet Breach Level Index shows bad guys have been very active

For those keeping score of what those with malicious intent are up to, the SafeNet Breach Level Index (BLI) is a valuable resource.  The most recent index, which looks at the second quarter of 2014 found that there were a total of 237 breaches that compromised more than 175 million customer records of personal and financial information worldwide. 

In addition, for the first half of 2014, more than 375 million customer records were stolen or lost as a result of 559 breaches worldwide. Of intense interest is what transpired in the retail industry which had more data records compromised than any other industry during the second quarter, with more than145 million records stolen or lost, or 83 percent of all data records breached.  SafeNet, emphasizing the old adage that “an ounce of prevention is worth a pound of cure,” noted that one percent of all 237 breaches during the second quarter were secure breaches where strong encryption or authentication solutions protected the data from being used.   

The granularity of the index is illuminating. The Breach Level Index provides details about hundreds of individual data breaches, which can be sorted by source, industry, risk level, and date. During the second quarter activities of note included:

• In each of the last four consecutive quarters, there has been one major data breach in which more than 100 million records were exposed.
• 175,655,228 records were stolen in the second quarter. This equates to 1,951,724 records stolen per day; 81,321 stolen per hour; and 1,355 records stolen every second.
• Malicious outsiders are targeting businesses’ most critical records. They are responsible for compromising 99 percent of the records and 56 percent of the incidents this quarter, more than any other source. 
• Healthcare incurred 23 percent of incidents, more than any other industry, but only accounted for 782,732 records lost or less than 1 percent of all records stolen during the quarter.
• Identity theft was the leading cause of breaches with 58 percent of all incidents and 88 percent of records stolen.
• Encryption was used in only 10 of the 237 reported data breach incidents.  Of those, only two could be classified as secure breaches in which encryption restricted the access of stolen data.
• The U.S. accounted for 85 percent of records compromised worldwide and 74 percent of all reported incidents, more than any other country. Germany followed with 10 percent of all records stolen.
• Three of the top five breaches were based in the U.S., with the other two breaches occurring in Europe.
• Government was the second least secure sector after retail, accounting for 11 percent of all records that were lost or stolen. The Department of Veterans Affairs incurred the most breaches, having been hacked during each quarter of 2014.
• Financial services breaches decreased significantly from the first quarter, down from 56 percent to less than one percent of records stolen in the second quarter.

“Even amidst continued warnings about data security, the breach epidemic is trending in the wrong direction. 2014 has proven to be more of the same, with 375 million customer records stolen in the first six months alone,” said Tsion Gonen, chief strategy officer of SafeNet. “While it’s not surprising that sophisticated cybercriminals are gaining access to critical data stores, what is surprising is that only one percent of breached records had been encrypted. The benefits of encryption have been known for some time, but companies just aren’t doing it. It’s the security industry’s equivalent of flossing your teeth. Everyone knows it’s good for you and the technology is proven, but only a small percentage of companies do it well.”  

To learn more about the SafeNet Breach Level Index and the methodology employed, check out the website that SafeNet has created for it.  

Consumers becoming wary

As noted, SafeNet also announced the results of a global survey of more than 4,500 adult consumers in five of the world’s largest economies – U.S., U.K., Germany, Japan, and Australia. In what should amount to a call to action, nearly 40 percent of respondents said they would never, or were very unlikely to, shop or do business again with a company that had experienced a data breach.  This sentiment increased to 65 percent if the data breach involved customers’ financial and sensitive information. In short, the survey results illustrate the impact that data breaches can have on customer loyalty and corporate revenue, and not in a good way.

“Data breaches are not just breaches of security.  They’re also breaches of trust between companies and their customers, and can result in not only negative publicity but lost business, lawsuits, and fines that can threaten the viability of the business,” Gonen added. “For organizations that fail to address their security vulnerabilities, the problem is only going to get worse as stricter regulations governing the reporting of data breaches are introduced across the world, making breaches more visible to the public. So companies need to do all that they can to keep customer data protected.”

Here are some of the results from the survey that should give any enterprise cause for reflection on their level of security of personal information. For adult respondents saying they would never, or were very unlikely to, shop or do business again with a company that had experienced a data breach where financial data was stolen, the breakdown by countries surveyed is as follows:

• 54 percent in the U.S.
• 68 percent in the U.K.
• 53 percent in Germany
• 82 percent in Japan
• 72 percent in Australia

As a further cautionary piece of information from the survey, only half of adults surveyed feel that companies take the protection and security of customer data seriously enough - a sentiment that‘s likely to have been influenced by the high volume of data breaches in 2014. For example, SafeNet cites the fact that during the second quarter alone, data breaches hit such well-known companies as AOL, Dominos, eBay, Office, and Spotify (News - Alert), with more than 175 million customer records of personal and financial information compromised worldwide.                           

“With the increasing frequency and size of data breaches, it’s clear that being breached is inevitable and perhaps only a matter of time. Cyber criminals are going after easier targets, and that is frequently personal data that is often unencrypted. With the implications clear, it’s time for companies to start thinking about protecting more of that data with strong encryption and multi-factor authentication. Only those organizations that adopt a ‘secure breach’ approach and ensure that all customer data remains encrypted will find themselves able to retain their customers should a data breach occur,” Gonen concluded.

 Taken together the two surveys contain valuable lessons. First obviously is that encryption is the way to mitigate risks associated with data breaches. In fact, if you are not using encryption today or it is not on your radar as a necessity, your organization is literally asking to be targeted by the bad guys. Second is that lack of action has consequences. Trust is extremely hard to establish, easily lost and extremely difficult to regain. Consumers are casting more than just a skeptical eye on companies who have allowed personal information to be compromised, and the consequences of inaction can to say the least are likely to be extremely severe.