Data security breach incidents continue to occur worldwide in record numbers. In particular, 2007 was the year of “breach data security” and by some estimates, more than half of all worldwide security breach affected records were exposed by the largest theft of credit card data at TJ Stores (TJX) in the United States. The incidents of data breach can occur in a variety of industries, but most importantly, data breaches within healthcare, banking and large credit card related industries, which deal with huge numbers of client and employee personal information such as social security numbers, credit card numbers and other personal data, have an enormous impact on the society, increased number of individuals whose personal information have been compromised, as well as the breached companies that have to deal with the data breach cost, analysis and data breach notification.
As I stated, some of the past data security breaches were huge in terms of their impact. If you look at the Chronology of Data Breaches listed at
Privacy Rights Clearinghouse,
you will notice that just a few data security breaches contributed to the majority of data exposures and affected millions of records.
Most of the security breaches were the results of poor, non-existent or not-followed security controls to safeguard personal information. The majority of the breach cases were caused by one of two information security mistakes made by the companies themselves or the vendors they trust; 1) confidential information were placed on unencrypted laptops and storage devices such as USB, discs, and tapes which were subsequently lost, stolen or misplaced, and 2) systems were left unsecured which allowed unauthorized system penetrations.
What surprises me the most is the frequency of reported news about the same security weaknesses previously reported such as lost unencrypted laptops, which contained confidential information. Why are there so many cases of lost personal information and security breaches in the same manner? Don’t companies learn from others’ mistakes? This might be a good question for corporate psychologists but I think companies don’t act until the same security breaches that happen to others also happen to them before they take the necessary actions to fix their problems. In fact, companies need a security breach that provides shock and awe before executive management takes information security much more seriously than just keeping an incapacitated information security group on their organization chart.
Unfortunately, security breach news is not very pleasant for individuals and companies. Corporations would have to deal with identity theft investigations, analysis, government scrutiny, and data breach notification to affected people, while individuals have to deal with monitoring their credit reports and worry about identity theft.
The best thing companies can do is to monitor security breaches at other institutions and learn from their mistakes. This practice should be part of their overall information security risk management and data protection efforts. More often, companies and individuals alike think identity theft and data breach can only happen to other people and consider themselves immune to identity fraud and privacy disclosure. But unfortunately, every individual and company has a chance of being a target of data security breach and must be prepared for the worst. Individuals should consider the data security breach risks and prepare themselves by placing fraud alerts on their credit reports and monitor their credit reports for suspicious transactions and activities.
Let’s hope future years are not the record breaking "breach data security" years.