Software Monetization Featured Article

Gemalto Releases 2014 Breach Level Index Findings-Good Year for Cybercriminals

February 12, 2015

Unfortunately, as if we needed confirmation that cybercriminals had a very prosperous year in 2014, digital security solutions provider Amsterdam-based Gemalto (News - Alert) is out with the results of its 2014 Breach Level Index and it paints a disturbing picture. 

At a headline level is the big finding was that more than 1,500 data breaches led to one billion data records compromised worldwide during 2014. These numbers represent a 49 percent increase in data breaches and a 78 percent increase in data records that were either stolen or lost compared to 2013.  At a more granular level the fact that identity theft continues to top the list of bad guy targets while not a surprise is troubling because so many entities continue to be less than careful even at the basic best practices level.

This really is a case of, “Read them and weep.”

Source:  Gemalto 2014 Breach Level Index

The Index has been a much-watched mainstay from security solutions provider SafeNet (News - Alert) (recently acquired by Gemalto) for several years. It is a global database of data breaches as they happen and provides a methodology for security professionals to score the severity of breaches and see where they rank among publicly disclosed breaches. In addition to the raw numbers, the BLI also calculates the severity of data breaches across multiple dimensions based on breach disclosure information.

While there is a trove of information about the top breaches by region, industry and the top companies that were targeted, the increased concentration of both the frequency and severity of identity theft stands out in the Index results:

  • The main motivation for cybercriminals in 2014 was identity theft with 54 percent of the all data breaches being identity theft-based, more than any breach category including access to financial data.
  •  In addition, identity theft breaches also accounted for one-third of the most severe data breaches categorized by the BLI as either Catastrophic (with a BLI score of between 9.0 and 10) or Severe (7.0 to 8.9).
  • Even secure breaches, which involved breaches of perimeter security where compromised data was encrypted in full or in part, increased to 4 percent from 1 percent.

 The part of the Index which is always food for thought is the part about the source of attacks.  

Realities are that while barbarians outside the gates are an obvious challenge, the accidental (25 percent) and malicious insider (15 percent) are alarming because so much of this is preventable. 

“We’re clearly seeing a shift in the tactics of cybercriminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number,” said Tsion Gonen, Vice-President of Strategy for Identity and Data Protection at Gemalto. “Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we’re starting to see that the universe of risk exposure for the average person is expanding.”

As noted, the desirability and concentration on identity theft can be seen in the facts that such breaches became more severe in 2014 with two-thirds of the 50 most severe breaches. Plus, the number of data breaches involving more than 100 million compromised data records doubled compared to 2013.

Examining the breakouts of the industries being targeted is a good reason to download the findings.  As Gemalto highlights, retail and financial services experienced the most noticeable trends compared to other industry sectors in 2014.

  • Retail experienced a slight increase in data breaches compared to last year, accounting for 11 percent of all data breaches in 2014.
  • I terms of data records compromised, the retail industry saw its share increase to 55 percent compared to 29 percent in 2013 due to an increased number of attacks that targeted point-of-sale systems.
  • For the Financial Services sector, the number of data breaches remained relatively flat year over year, but the average number of records lost per breach increased ten-fold to 1.1 million from 112,000.

Gonen added that: "Being breached is not a question of 'if' but 'when.' Breach prevention and threat monitoring can only go so far and do not always keep the cyber criminals out. Companies need to adopt a data-centric view of digital threats starting with better identity and access control techniques such as multi-factor authentication and the use of encryption and key management to secure sensitive data. That way, if the data is stolen it is useless to the thieves."

The last observation by Gonen goes to the heart of the matter and speaks ways in which 2015 does not have to be another banner year for bad guys. As everyone in the security industry says, there is no failsafe solution the can assure 100 percent security of digital assets, however solutions and best practices are readily available to mitigate risks and their adoption could have a major impact when the 2015 breach index is published. 

Edited by Maurice Nagle