Data security breach incidents continue to occur worldwide in record numbers. Each year seems to be the year of “data breach” and by some estimates, more than half of all affected records worldwide in data security breach incidents are due to just a few incidents that lead to a large number of disclosed records.
The incidents of data breach can occur in a variety of industries, but most importantly, data breaches within healthcare, banking and large credit card related industries, which deal with huge numbers of client and employee personal information such as social security numbers, credit card numbers and other personal data, have an enormous impact on the society, individuals whose personal information have been compromised, as well as the breached companies that have to deal with the data breach cost, analysis and data breach notification.
As previously stated in this blog, some of the past data security breaches were huge in terms of their impact. If you look at the Chronology of Data Breaches listed at Privacy Rights Clearinghouse, you will notice that just a few data security breaches contributed to the majority of data exposures and affected millions of records.
Most of the security breaches were the results of poor, non-existent or not-followed security controls to safeguard personal information. The majority of the breach cases were caused by one of two information security mistakes made by the companies themselves or the vendors they trust; 1) confidential information were placed on unencrypted laptops and storage devices such as USB, discs, and tapes which were subsequently lost, stolen or misplaced, and 2) systems were left unsecured which allowed unauthorized system penetrations.
In most data breach cases, system access is obtained by stealing privileged account credentials which should make employee training a top security priority. On the other hand, insider threats can not be ignored which requires consistent monitoring of highly privileged accounts which have either access to powerful functionality or databases.
What is most surprising is the frequency of reported news about the same security weaknesses previously reported such as lost un-encrypted laptops, which contained confidential information. Why are there so many cases of lost personal information and security breaches in the same manner? Don’t companies learn from others’ mistakes? This might be a good question for corporate psychologists but typically companies don’t act until the same security breaches that happen to others also happen to them before they take the necessary actions to fix their problems. In fact, companies need a security breach that provides shock and awe before executive management takes information security much more seriously than just keeping an incapacitated information security group on their organization chart.
Unfortunately, security breach news is not very pleasant for individuals and companies. Corporations would have to deal with identity theft investigations, analysis, government scrutiny, and data breach notification to affected people, while individuals have to deal with monitoring their credit reports and worry about identity theft.
The best thing companies can do is to monitor security breaches at other institutions and learn from their mistakes. This practice should be part of their overall information security risk management and data protection efforts. More often, companies and individuals alike think identity theft and data breach can only happen to other people and consider themselves immune to identity fraud and privacy disclosure. But unfortunately, every individual and company has a chance of being a target of data security breach and must be prepared for the worst. Individuals should consider the data security breach risks and prepare themselves by placing fraud alerts on their credit reports and monitor their credit reports for suspicious transactions and activities.
Let’s hope future years are not the record breaking "data breach" years.
Visit Identity Management Institute for additional information on data security breach solutions.