Gemalto, a digital security company, recently published a 16-page report that covers disclosed breaches across industries globally. It provides a breach level security score from 1 (minimal) to 10 (catastrophic). This score is based on a combination of the number of records breached, the type of data contained in those records, the source of the breach, and how the data was ultimately used.
Despite only covering a 6-month span, 918 breaches were disclosed with nearly 2 billion records being affected. Of those breaches, 59.3% were cases in which the number of compromised records was not known, and only 4.6% where encryption was used as part of security measures.
The greatest number of disclosed breaches occurred in North America (88%), equating to 808 incidences out of the 918.
Industries impacted were healthcare, financial services, education, retail, government, entertainment, industrial, and technology. Identify theft was the leading type of breach, followed by financial access, and account access.
Gemalto estimates over ten thousand breaches where records are lost or stolen occur on a daily basis. So, how do these breaches occur, who is behind them, and how do we stop it?
A New Approach to Security
In the report, Gemalto highlights that the prevalence of IoT could possibly become a contributing factor to the rise in breaches. Many, if not the majority, of these devices tend to have little to no security built-in, exposing themselves and their networks to potential attacks.
Furthermore, not mentioned in the report are new threats such as BlueBorne, which uses the Bluetooth connection of most mobile devices as an attack vector. Malicious outsiders have been the greatest source of network breaching in the first half of 2017—people who are intentionally trying to access data.
Breach sources. Image courtesy of Gemalto.
Technology has changed, but security largely has not. This is most obvious when analyzing the next most common type of breach that occurred in this data set, which is "accidental loss", commonly through inadequate security, unsecure databases, and insufficient internal security practices. This also led to the largest amount of stolen data.
Security is becoming a larger expenditure in IT, but has not resulted in better protection against data breaches, which often rely on network perimeter security technology—things like a firewall that keeps networks separated from the Internet or other external networks.
The main mantra of the report is: from "breach prevention" to "breach acceptance", meaning we should expect breaches to occur and should instead focus on efforts to minimize negative impacts when they do. Current security tends to instead increase the restrictiveness of data access and movement.
Of the stolen data records in the first half of 2017, less than five percent were encrypted. Some suggested solutions are to encrypt sensitive data, use and control user authentication, apply multi-factor authentication, and keep encryption keys secure. That way, if data is stolen, it might not be usable by the attacker.
Equifax and the Kerala DMV: Perspectives on Data Protection
Of course, you should also do your best to protect your own data too. The largest volume of data stolen in the first half of 2017 was through an accidental loss by the motor vehicles department in Kerala, a state in India. Over 200 million data records were stolen containing vehicle registration information. This received a breach level index rating of 9.9 due to the sheer amount of data stolen and potential use of that information, which in this particular instance might be identity theft.
Not included in the report, since it was not disclosed until the second half of 2017, is the Equifax data breach—over 143 million customers in the USA had data exposed that included names, social security numbers, and other personal information.
In both cases, Kerala and Equifax, it was failure on the part of the institution that led to personal data being compromised to a serious degree. For Equifax in particular, the breach appears to have been possible due to a flaw in a web tool.
Image courtesy of SSRS.
Questions of Responsibility for Data Protection
While there are multiple players involved in protecting data, clearly breaches still occur. For Equifax, insufficient protections on their website appears to be at fault.
It’s hard to know in advance when a breach might happen, so your best course of action is to sign up for fraud detection for your credit accounts, monitor your credit card and bank statements for unusual activity, report unusual activity immediately, and request for a full credit report (which you are entitled to for free if you apply through the mail). Regularly change your pin code and, if you are truly concerned, temporarily freeze your accounts until you can resolve concerns with your banking institution.
At home, you may notice more and more devices are coming with Internet connectivity capabilities included—your television, your refrigerator, your home security system. This advice comes up frequently, but it remains true: keep your software up to date on all of your Internet-connected devices, change default passwords, and, if it doesn’t need to be connected to the Internet or Bluetooth, you should consider disconnecting it. Keep up with best practices on home network security and keep an eye out for suspicious activity.
For hobbyists or engineers who work with IoT or other embedded systems in a network, do your best to follow best practices to ensure your system remains secure. No one should take security for granted.