2015 Second Annual Data Breach Industry Forecast
2015 Second AnnualData BreachIndustry ForecastData Breach Resolution
2015 Second Annual Data Breach Industry ForecastEXECUTIVE SUMMARYThe growing prevalence of widelypublicized data breaches is sparkinga change in the attitudes of businessleaders and consumers when it comes tocybersecurity. Board members and theC-suite can no longer ignore the drasticimpact a data breach has on companyreputation. Meanwhile, consumers aredemanding more communication andremedies from businesses after a databreach occurs. As a result, the topicis one of the highest priorities facingbusinesses and regulators in 2015.For businesses, the risk of experiencinga data breach is higher than ever withalmost half of organizations sufferingat least one security incident in thelast 12 months. To address this, 48percent of organizations increasedinvestments in security technologies inthe same timeframe, and 73 percentacknowledged the likelihood of a breachby developing a data breach responseplan. Cyber insurance policies are alsobecoming more important to a company’spreparedness plan, with the adoption ratemore than doubling over the last year from10 percent in 2013 to 26 percent in 2014.12Where a year ago many organizations didnot have a data breach response plan inplace, it is encouraging that executivesare better prioritizing this issue. However,much remains to be done as the databreach landscape and consumersentiment continues to evolve. Whileseveral of the same issues areexpected to persist in 2015, a few newtrends are anticipated in the coming year.These changes will be driven by factorsincluding implementation of new paymenttechnology, continued rapid expansionof cloud and ecommerce, as well as theconsistently high value of healthcare dataon the black market.The end of a year brings reflection as wellas a chance to pause and look to thefuture. To help businesses understandimplications of such changes andnavigate the road ahead, ExperianData Breach Resolution has developedsix key predictions about how the databreach industry will evolve in 2015. Thesepredictions are based on experiencehelping more than 3,000 companiesmanage breaches of all types in 2014and conversations with leaders acrossthe security landscape. With this mindset,we also looked back at how our 2014predictions played out. Based on our experience, the topdata breach trends of 2015 include thefollowing: Rise-and Fall-of Payment BreachesAdoption requirements for EMV“Chip and PIN” technology beingimplemented may drive an increase inthe frequency of payment breaches asthe window closes for hackers to profitfrom this type of attack on brick-andmortar retailers. However, businessesshould be wary of the potential for thenew infrastructure creating a falsesense of security for consumers. Safeguard Your Password: MoreHackers will Target Cloud DataAs more data is stored in the cloud,hackers are eager to capitalize on thevalue of consumer online credentials.There is an expected increase incyber attacks to access consumerpasswords and other data stored in thecloud.The deadline for retailersto adopt EMV (Chip andPIN) credit card technologyis October 2015 if theywant to accept Visa orMasterCard payments. Persistent and Growing Threat ofHealthcare BreachesThe expanding number of accesspoints to Protected Health Information(PHI) and other sensitive data viaelectronic medical records andthe growing popularity of wearabletechnology makes the healthcareindustry a vulnerable and attractivetarget for cybercriminals. Severalfactors suggest the healthcare industrywill continue to be plagued with databreach headlines in 2015.Contact us at 866.751.1323 or email us at databreachinfo@experian.com. 2015 Second Annual Data Breach Industry Forecast 2
2015 Second Annual Data Breach Industry Forecast Shifting Accountability: BusinessLeaders Under Increased ScrutinyShowcased by shifts in leadership atcompanies that suffered a public databreach in the last year, it is clear thatsecurity can no longer be viewed asjust an IT issue. In 2015, scrutiny ofcorporate leadership’s management ofsecurity may continue to increase in theform of legal and regulatory action aftera major incident. Missing the Mark: Employees WillBe Companies’ Biggest ThreatAlthough businesses will increase focuson security protocols against externalhackers this year, we predict thatmany will miss the mark on protectingagainst insider threat. Employees andnegligence will continue to be theleading cause of security incidents inthe next year.Confronting The Issue Of Data Breach FatigueThe experience of being a victim to data breaches has created a substantialshift in consumer behaviors and attitudes over the last year, with increasedexpectations for swift notification and a decrease in the level of trust in thecompanies impacted. Consumers also send mixed signals to organizations— with many becoming more apathetic in a phenomenon coined as “databreach fatigue” and taking less action to personally protect themselves — whilstexpressing heightened concern for identity theft.In a 2014 study from the Ponemon Institute, more than one-third of consumersreported they ignored data breach notification letters, taking no action toprotect themselves from fraud. However, most consumers continue to believeorganizations should be obligated to provide identity theft protection (63 percent)and credit monitoring services (58 percent).3To confront data breach fatigue, companies need to avoid treating the notificationprocess as a compliance issue, and conduct sincere communication withcustomers. Notification letters should include an apology and a clear explanationof what happened, why it happened, and what consumers can do to protectthemselves from fraud. This includes checking credit reports and monitoringfinancial or health records to identify any fraudulent activity. Fresh Breach Surface via theInternet of ThingsLike it or not, the Internet of Things(IoT) is spreading rapidly, offering awide range of benefits for businesseslooking to review data and optimizeperformance. More devices are beingcreated with Wi-Fi capabilities andsensors that create the opportunityfor everyday items — for example, carkeys, alarm system or wearable devices— to relay information over the Internetand communicate with each other. Asmore companies adopt interconnectedsystems and products, cyber attackswill likely increase via data accessedfrom third-party vendors.Contact us at 866.751.1323 or email us at databreachinfo@experian.com. 2015 Second Annual Data Breach Industry Forecast 3
2015 Second Annual Data Breach Industry ForecastTOP 6 DATA BREACH TRENDS FOR20151. Rise-and Fall-of PaymentBreachesWith the imminent adoption requirementsfor EMV “Chip and PIN” technology inthe United States in October 2015, thewindow may be closing for hackers toeasily profit from point-of-sale attacks onbrick-and-mortar retailers. Today, U.S.based retailers face a perfect storm ofhaving information that is an attractivetarget to attackers and the availabilityof malware capable of compromisingpayment systems being sold on the blackmarket. We expect a continued influx ofpayment breaches in the near-term beforethe new system is implemented late nextyear.In the interim, larger retailers will continueto take steps to harden their systems tobe less vulnerable to attacks. However,despite increased security efforts,attackers may look for new ways tocompromise these companies given howprofitable the payoff can be. Because theOctober 2015 deadline to adopt the newtechnology has been publicly announced,cyberthieves have likely already identifiedvulnerabilities they can target in thenew infrastructure. As this technology isviewed by many as the panacea for retailbreaches, consumers could easily get afalse sense of security.We also expect to see attacks on smallerregional chains that could be morevulnerable but still provide a significantamount of payment cards. Even afterthe October deadline for merchants toimplement new, more secure paymentinfrastructure or face being responsiblefor fraudulent charges, smaller vendorsmay be slow to adopt the new system.This means payment breaches will likelypersist, but the likelihood of another megacredit card breach due to POS malwarewill be significantly reduced.The Takeaway: The window is closingfor traditional retail payment breaches,meaning there may be a rise in criminalactivity in the coming months beforemore secure payment technologiesare implemented. However, once Chipand PIN technology is adopted, it won’tbe long before cyber thieves identifynew vulnerabilities to target. Either way,retailers need to prepare for the likelihoodof a breach by hardening the security oftheir infrastructure and ensuring there isa proper incident response plan in place.The risk of credit card companies andbanks filing lawsuits against breachedretailers will also be motivation forcompanies to invest in security soonerrather than later.2. Safeguard Your Password: MoreHackers will Target Cloud DataIn 2015, we expect an increase inbreaches involving the loss of usernames,passwords and other information storedin the cloud. Cloud services have beenbeneficial to both consumers andbusiness productivity. However, as moreinformation gets stored in the cloud andconsumers rely on online services foreverything from mobile payments andbanking to photo editing and commerce,they become a more attractive target forattackers.In fact, a recent study found a Twitteraccount is worth more on the blackmarket than a credit card numberand stolen identities including onlinecredentials are worth upwards of 25 perrecord on the black market.45We expect this increase in hackerstargeting online credentials such asconsumer passwords and usernamesto gain keys to the castle — with thelikelihood that compromising one recordcan often give access to all sorts of otherinformation stored online.Beyond online credentials, loss of otherpersonal information remains concerningif still underreported. Breached emailsoften lead to spear phishing attacksor SPAM and the loss of personalinformation like name, address, date ofbirth and Social Security numbers can beused as part of synthetic identity theft.The Takeaway: There may be anincrease in cyber attacks this year toaccess consumer passwords and otherdata stored in the cloud. To combat this,incident response plans should includeconsiderations of how to reset userContact us at 866.751.1323 or email us at databreachinfo@experian.com. 2015 Second Annual Data Breach Industry Forecast 4
2015 Second Annual Data Breach Industry Forecastpasswords on a massive scale and sendemail promptly to all potentially affected.The need to maintain trust necessitatesbeing transparent with customers.introduction of wearable technologiesintroduced millions of individuals intothe healthcare system, and, in returnincreased, the potential for data breaches.3. Persistent and Growing Threat ofHealthcare BreachesWe expect healthcare breaches willincrease — both due to potentialeconomic gain and digitization of records.Increased movement to electronicmedical records (EMRs), and theHealthcare organizations face thechallenge of securing a significant amountof sensitive information stored on theirnetwork, which combined with the valueof a medical identity string makes them anattractive target for cybercriminals.The problem is further exasperated by thefact that many doctors’ offices, clinics andhospitals may not have enough resourcesto safeguard their patients’ PHI. In fact, anindividual’s Medicare card — often carriedin wallets for doctors’ visits — containsvaluable information like a person’s SocialSecurity number (SSN) that can be usedfor fraud if in the wrong hands. Currently,we are not aware of any federal or lawenforcement agency which tracks data onSSN theft from Medicare cards, but theBoom In State-Level Regulatory ActionIn the absence of federal regulatory action for standardized data breach notification requirements, states may experimentwith data breach laws in the coming year, from adjusting timing and content of notification, to defining personal data, andrequirements to alert media and regulators. Unfortunately, for companies with customers in multiple states there is no onesize-fits-all approach to notification that meets each standard. Currently, U.S. businesses face a patchwork of data breach lawsacross 47 states, along with the District of Columbia and Puerto Rico. Three states remain without data breach notificationlaws (Alabama, New Mexico and South Dakota).This year, in light of recent breaches several states are likely to adopt new standards that expand the definition of personaldata to include email and password information and non-HIPAA related health data, such as health insurance policy numbersand subscriber identification numbers. Under these proposals, the expanded definition of personal data could trigger breachnotices in more frequent circumstances. It is important to maintain a comprehensive and regularly updated data breachresponse plan to ensure companies are prepared to meet these new requirements and various standards.Policymakers at the state and federal level agree — companies need to be prepared to respond to a breach. In fact, afterreporting that more than 500 million financial records had been stolen by hackers in the past 12 months, Joseph Demarest,assistant director in the FBI’s Cyber Division issued a warning saying, “You’re going to be hacked. Have a plan.” State attorneysgeneral in California, New York and Illinois have each called on companies to have a breach response plan in place thatincludes the offering of identity theft protection services to affected customers.Contact us at 866.751.1323 or email us at databreachinfo@experian.com. 2015 Second Annual Data Breach Industry Forecast 5
2015 Second Annual Data Breach Industry Forecastproblem is widely acknowledged.The potential cost ofbreaches for the healthcareindustry could be as muchas 5.6 billion annually.6This year, Reuters reported that the FBIreleased a private notice to the healthcareindustry warning providers that theircyber security systems are lax comparedto other sectors. A memo reportedlystated, “the healthcare industry is not asresilient to cyber intrusions compared tofinancial and retail sectors, therefore thepossibilities of increased cyber intrusionsis likely.” According to the PonemonInstitute, 72 percent of healthcareorganizations say they are only somewhatconfident (32 percent) or not confident(40 percent) in the security and privacy ofpatient data shared on HIEs.7The Takeaway: Healthcare organizationswill need to step up their security postureand data breach preparedness or facethe potential for scrutiny from federalregulators. Reported incidents maycontinue to rise as electronic medicalrecords and consumer-generated dataadds vulnerability and complexity tosecurity considerations for the industry.4. Shifting Accountability: BusinessLeaders Under Increased ScrutinyWhere previously IT departments wereresponsible for explaining securityincidents, cyber attacks have expandedfrom a tech problem to a corporate-wideissue. With this shift, business leaders arebeing held directly accountable for databreaches. Executives at the highest levelsare under scrutiny about security postureand their response to a breach fromstakeholders, regulators and consumers.Recent mega breaches have showcasedthe significant pressure for managementteams to brush up on their knowledgeon data breach preparedness or face thethreat of being ousted from the company.In 2015, scrutiny of corporate leadership’smanagement of security may continueto increase in the form of critical mediacoverage and legal and regulatoryscrutiny in the wake of a major incident.We also expect to see more definitiveaction taken by boards to hold companyleadership accountable.Looking ahead, senior executives will beexpected to have a better understandingof the data breach response plan,comprehension of new technologies andsecurity protocols in the workplace andhave a clearly-defined chain of responseshould a breach occur. This often doesn’texist today. According to a recent surveyby the Ponemon Institute, 17 percent ofsenior executives are currently not awareof whether or not their organization hadsuffered a data breach in the last year.8The Takeaway: Data breaches need tobe managed as a corporate-wide risk in2015. Decision-makers at the C-suite levelshould have an active role in preparing fora data breach and how to respond. Theyalso should increase allocated resourcesto data security, or else face theconsequences of appearing irresponsibleto constituents and stakeholders.5. Missing the Mark: EmployeesMistakes Will Be Companies’Biggest ThreatAlthough there is heightened sensitivityfor cyber attacks amongst businessleaders, a majority of companies willmiss the mark on the largest threat:employees. Between human error andmalicious insiders, time has shown usthe majority of data breaches originateinside company walls. Employees andnegligence are the leading cause ofsecurity incidents but remain the leastreported issue. According to industryresearch, this represented 59 percent ofsecurity incidents in the last year.9Expect a rise in legal andregulatory scrutiny in 2015.In 2015, people-based breaches willcontinue to be the leading cause ofcompromises but will receive the leastattention. Investments will favor newtechnologies capable of helping betterprevent intrusions and the exfiltrationof data from attackers. Currently only54 percent of organizations report theyconduct security awareness training forContact us at 866.751.1323 or email us at databreachinfo@experian.com. 2015 Second Annual Data Breach Industry Forecast 6
2015 Second Annual Data Breach Industry Forecastemployees and other stakeholders whohave access to sensitive or confidentialpersonal information. Making a significantdent in the number of breaches in 2015will require companies to pay moreattention to raising the security intelligenceof employees.10U.S. companies reportedpeople interact with everyday items.Growing in popularity as a way forbusinesses to measure data in new ways,the IoT allows us to gather and processvaluable information from machines andother physical objects.initiated by IoT-compromised devicesand interconnected systems adopted byorganizations, including everything fromsensor networks and work meters toconsumer devices such as routers andNAS storage.According to Gartner, the IoT will growto 26 billion units installed in 2020representing an almost 30-fold increasefrom 0.9 billion in 2009. With morecompanies looking to leverage the IoTby gathering, storing and processingdata from billions of objects and devices,there are more points of vulnerabilityfor this information to be targeted byhackers. As a result, we expect anincrease in cyber attack campaignsThe Takeaway: As companies adoptmore interconnected products andsystems, the Internet of Things couldusher in the next wave of large thirdparty breaches. Businesses lookingto take advantage of data availablefrom the IoT need to emphasize riskmanagement and security with thirdparty vendors that provide or haveaccess to the same information.12 40 billion in lossesfrom unauthorizeduse of computers byemployees last year.11Medical Identity Theft A Growing ConcernThe Takeaway: Despite all signs pointingto employees as the largest threat to acompany’s security, business leaders willcontinue to neglect the issue in favor ofmore appealing security technologies in2015. As a result, many companies willmiss the mark on fighting the root causeof the majority of breaches. Organizationsthat implement regular security trainingwith employees and a culture of securitycommitted to safeguarding data will bebetter positioned for success.6. Rise in Third-Party Breaches viathe Internet of ThingsThe next leak from the office water coolerwon’t be caused by employee gossip.Technology advancements means theIn
2015 Second Annual Data Breach Industry Forecast Shifting Accountability: Business Leaders Under Increased Scrutiny Showcased by shifts in leadership at companies that suffered a public data breach in the last year, it is clear that security can no longer be viewed as just an IT issue. In 2015
Jul 02, 2018 · 9 2018 Data Breach Investigations Report, Verizon, 2018 10 The 2017 State of Endpoint Security Risk, Ponemon Institute, 2018 11 2017 Annual Data Breach Year-End Review, ITRC, 2017 12 2018 Cost of a Data Breach Study: Global Overview, Ponemon Institute, 2018 Only 39 percent of company C-suite executives know a data breach response plan exists.8 .File Size: 1MB
This paper analyzes Target's data breach incident from both technical and legal perspectives. The description of the incident and the analysis of the involved malware explain how flaws in the Target's network were exploited and why the breach was undiscovered for weeks. The Target data breach is still under investigation and there
1 A. The Target Data Breach 1. The Stolen Data On December 19, 2013, Target publicly confirmed that some 40 million credit and debit card accounts were exposed in a breach of its network.1 The Target press release was published after the breach was first reported on December 18 by Brian Krebs, an independent Internet
The breach cost vs. breach size Verizon 2015 data, the claim amount vs. breach size. Note log-log axes. Our proposed model!"# %&’( )*)" # - /012 4 for breach sizes bigger than or equal to 1000 records Nonlinea
Tort-Introduction ! Wrongful acts/omissions ! Civil wrong independent of contract ! Liability arising from a breach of legal duty owed to person generally ! Breach of duty primarily fixed by law ! Its breach is redressed (compensated) by an action for unliquidated damages - damages in a breach of contract case that is not
Federal Information Security and Data Breach Notification Laws Congressional Research Service 1 Data Breaches A data breach occurs when there is a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integrity of data.
2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 . Removal handle Sound output / wax protection system. 11 Virto V-10 Custom made shell Battery door Volume control (optional) Push button Removal handle . Before using
Adventure tourism: According to travel-industry-dictionary adventure tourism is “recreational travel undertaken to remote or exotic destinations for the purpose of explora-tion or engaging in a variety of rugged activities”. Programs and activities with an implica-tion of challenge, expeditions full of surprises, involving daring journeys and the unexpect- ed. Climbing, caving, jeep .
