Data breach

A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. Incidents range from concerted attack by black hats associated with organized crime, political activist or national governments to careless disposal of used computer equipment or data storage media.

Definition: "A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so."[1] Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data - files, documents, and sensitive information.[2]

According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.[3]

Many jurisdictions have passed data breach notification laws, requiring a company that has been subject to a data breach to inform customers and take other steps to remediate possible injuries.

Definition

This may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.[4]

ISO/IEC 27040 defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.

Trusted environment

The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data subsequent to termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust.

Data privacy

Most such incidents publicized in the media involve private information on individuals, i.e. social security numbers, etc.. Loss of corporate information such as trade secrets, sensitive corporate information, details of contracts, etc. or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.

Insider versus external threats

Those working inside an organization are a major cause of data breaches. Estimates of breaches caused by accidental "human factor" errors range from 37% by Ponemon Institute[5] to 14% by the Verizon 2013 Data Breach Investigations Report.[6] The external threat category includes hackers, cybercriminal organizations and state-sponsored actors. Professional associations for IT asset managers[7] work aggressively with IT professionals to educate them on best risk-reduction practices[8] for both internal and external threats to IT assets, software and information. While security prevention may deflect a high percentage of attempts, ultimately a motivated attacker will likely find a way into any given network. One of the top 10 quotes from Cisco CEO John Chambers is, "There are two types of companies: those that have been hacked, and those that don't know they have been hacked."[9] FBI Special Agent for Cyber Special Operations Leo Taddeo warned on Bloomberg television, "The notion that you can protect your perimeter is falling by the wayside & detection is now critical."[10]

Medical data breach

Main article: Medical data breach

Some celebrities have found themselves to be the victims of inappropriate medical record access breaches, albeit more so on an individual basis, not part of a typically much larger breach.[11] Given the series of medical data breaches and the lack of public trust, some countries have enacted laws requiring safeguards to be put in place to protect the security and confidentiality of medical information as it is shared electronically and to give patients some important rights to monitor their medical records and receive notification for loss and unauthorized acquisition of health information. The United States and the EU have imposed mandatory medical data breach notifications.[12]

Average cost of data breaches in Germany[13]

Consequences

Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victims subscription to a credit reporting agency, for instance, new credit cards, or other instruments. In the case of Target, the 2013 breach cost Target a significant drop in profit, which dove an estimated 40 percent in the 4th quarter of the year.[14]

The Yahoo breach disclosed in 2016 may be one of the most expensive today. It may lower the price of its acquisition by Verizon by $1 billion.[15] Cybercrime cost energy and utilities companies an average of $12.8 million each year in lost business and damaged equipment according to DNV GL, an international certification body and classification society based in Norway.[16] Data breaches cost healthcare organizations $6.2 billion in the last two years (presumably 2014 and 2015), according to a Ponemon study.[17]

Major incidents

Notable incidents include:

2016

2015

2014

2013

2012

2011

2009

2008

2007

2006

2005

See also

References

  1. United States Department of Health and Human Services, Administration for Children and Families. Information Memorandum. Retrieved 2015-09-01.
  2. "Panama Papers Leak: The New Normal?". Xconomy. 2016-04-26. Retrieved 2016-08-20.
  3. 1 2 3 4 5 6 7 8 9 10 11 "Chronology of Data Breaches", Privacy Rights Clearinghouse
  4. When we discuss incidents occurring on NSSs, are we using commonly defined terms?, "Frequently Asked Questions on Incidents and Spills", National Archives Information Security Oversight Office
  5. Risk of Insider Fraud: Second Annual Study. Ponemon.org (2013-02-28). Retrieved 2014-06-10.
  6. Verizon Data Breach Investigations Report | Verizon Enterprise Solutions. VerizonEnterprise.com. Retrieved 2014-06-10.
  7. Welcome to IAITAM. Iaitam.org. Retrieved 2014-06-10.
  8. "The IT Checklist to Prevent Data Breach". IT Solutions & Services Philippines - Aim.ph. Retrieved 2016-05-06.
  9. "John Chambers' 10 most memorable quotes as Cisco CEO". Network World. Retrieved 2016-11-10.
  10. "FBI on Bloomberg TV".
  11. Ornstein, Charles (2008-03-15). "Hospital to punish snooping on Spears". Los Angeles Times. Retrieved 2013-07-26.
  12. "Medical data breaches: Notification delayed is notification denied". Retrieved 11 May 2016.
  13. "2010 Annual Study: German Cost of a Data Breach" (PDF). Ponemon Institute. February 2011. Retrieved 2011-10-12.
  14. "Data Breach Hurts Profit at Target". The New York Times. 27 February 2014. Retrieved 11 May 2016.
  15. "Verizon Wants $1 Billion Discount After Yahoo Privacy Concerns". TechCrunch. October 6, 2016.
  16. "Hydrocarbon Processing". September 29, 2016.
  17. "Data breaches cost healthcare industry $6.2B". Becker's ASC Review. May 12, 2016.
  18. "5 IT Security Lessons from the Comelec Data Breach". IT Solutions & Services Philippines - Aim.ph. Retrieved 2016-05-06.
  19. Freytas-tamura, Kimiko De (2016-10-30). "Iceland's Prime Minister Resigns, After Pirate Party Makes Strong Gains". The New York Times. ISSN 0362-4331. Retrieved 2016-11-10.
  20. Ltd, Allied Newspapers. "Watch: Will Panama scandal go away after the reshuffle?". Times of Malta. Retrieved 2016-11-10.
  21. "U.S. Readies Bank Rule on Shell Companies Amid 'Panama Papers' Fury". NBC News. Retrieved 2016-11-10.
  22. "Can secrets stay secret anymore?". CIO Dive. Retrieved 2016-11-10.
  23. "TalkTalk Hacked…Again". Check&Secure. 2015-10-23. Retrieved 2015-10-23.
  24. "Online Cheating Site AshleyMadison Hacked". krebsonsecurity.com. 2015-07-15. Retrieved 2015-07-20.
  25. "Data breach at health insurer Anthem could impact millions". 15 February 2015.
  26. "Apple Media Advisory: Update to Celebrity Photo Investigation". Business Wire. StreetInsider.com. September 2, 2014. Retrieved 2014-09-05.
  27. Melvin Backman (18 September 2014). "Home Depot: 56 million cards exposed in breach". CNNMoney.
  28. "Staples: Breach may have affected 1.16 million customers' cards". Fortune. December 19, 2014. Retrieved 2014-12-21.
  29. James Cook (December 16, 2014). "Sony Hackers Have Over 100 Terabytes Of Documents. Only Released 200 Gigabytes So Far". Business Insider. Retrieved December 18, 2014.
  30. Goodin, Dan. (2013-11-01) How an epic blunder by Adobe could strengthen hand of password crackers. Ars Technica. Retrieved 2014-06-10.
  31. "Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores". Target Corporation. 19 December 2013. Retrieved 19 January 2016.
  32. Honan, Mat (2012-11-15). "Kill the Password: Why a String of Characters Can't Protect Us Anymore". Wired (magazine). Retrieved 2013-01-17.
  33. Honan, Mat (August 6, 2012). "How Apple and Amazon Security Flaws Led to My Epic Hacking". Wired (magazine). Retrieved 26 Jan 2013.
  34. "Protecting the Individual from Data Breach". The National Law Review. Raymond Law Group. 2014-01-14. Retrieved 2013-01-17.
  35. "Public Incident Response Report" (PDF). State of South Carolina. 2012-11-12. Retrieved 2014-10-10.
  36. "South Carolina: The mother of all data breaches". The Post and Courier. 2012-11-03. Retrieved 2014-10-10.
  37. Greenberg, Andy (9 June 2011). "Citibank Reveals One Percent Of Credit Card Accounts Exposed In Hacker Intrusion". Forbes. Retrieved 2014-09-05.
  38. Heartland Payment Systems Uncovers Malicious Software In Its Processing System
  39. Lessons from the Data Breach at Heartland, MSNBC, July 7, 2009
  40. "GE Money Backup Tape With 650,000 Records Missing At Iron Mountain". InformationWeek. Retrieved 11 May 2016.
  41. "UK - BNP activists' details published". BBC. Retrieved 11 May 2016.
  42. "Bank of America settles Countrywide data theft suits". Los Angeles Times. August 24, 2010.
  43. "Countrywide Sued For Data Breach, Class Action Suit Seeks $20 Million in Damages", Bank Info Security, April 9, 2010
  44. "Countrywide Sold Private Info, Class Claims", Courthouse News, April 5, 2010
  45. "The Convergence of Data, Identity, and Regulatory Risks", Making Business a Little Less Risky Blog
  46. Manning, Jeff (2010-04-13). "D.A. Davidson fined over computer security after data breach". The Oregonian. Retrieved 2013-07-26.
  47. "T.J. Maxx data theft worse than first reported". MSNBC. 2007-03-29. Retrieved 2009-02-16.
  48. data Valdez Doubletongued dictionary
  49. AOL's Massive Data Leak, Electronic Frontier Foundation
  50. data Valdez, Net Lingo
  51. "Active-duty troop information part of stolen VA data", Network World, June 6, 2006
  52. "ChoicePoint to pay $15 million over data breach", NBC News

External links

This article is issued from Wikipedia - version of the 12/4/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.