2016 pretty much blew all previous breach numbers out of the water. According to the Identity Theft Resource Center’s (ITRC) yearly breach list, there were 781 reported breaches in 2015 and 1,093 in 2016 – with 2016 representing a whopping 40% increase. With 410 reported breaches just four months into the New Year, 2017 looks to be on the same track as 2016.
ITRC’s chief executive officer, Eva Casey Velasquez, paints a gloomy picture on the outlook of the true number of data breaches that occur, stating that “we are extremely confident that breaches are undiscovered and under-reported, and we don’t know the full scope. This isn’t the worst-case scenario we are looking at; this is the best-case scenario.”
Data breaches by Industry
Healthcare was the biggest target for hacks in 2016, with 493 breaches – a 10.8% increase from 2015 – accounting for more than one quarter (27.5%) of all data breaches reported for the year. With troves of valuable patient data stored on antiquated networks, healthcare breaches happened at the rate of one per day in 2016, with over 27 million records affected.
The consequences of these breaches are not cheap: over the past few months alone, healthcare organizations in violation of HIPAA have paid millions of dollars in fines. In February, a Miami, Fla.-area non-profit paid $5.5 million to settle a HIPAA case, while a Dallas-area hospital had to pay a $3.2 million HIPAA penalty.
Although healthcare has already seen 97 breaches in 2017, healthcare providers are treating privacy and security as one of their top priorities this year, according to a report released last week by HIMSS at its annual conference.
Gemalto’s Breach Level Index Report for 2016 shows the government sector at 269 breaches in 2016, followed by retail at 215, financial services at 214, technology at 189 and education at 157 data breaches. The ITRC reports that all of these sectors are topping the list for numbers of data breaches in 2017, revealing that each remain vulnerable to cyberattacks.
Who is stealing the data – and how?
It seems there are many unknowns about data breaches, but security experts are digging into the nuts and bolts of breaches, discovering some solid research on who is committing the cybercrimes and how they are doing it.
Gemalto reveals that hackers and cyberattacks are by far the leading cause of data breaches in 2016, with malicious outsiders accounting for 1,223 incidents – 68% of all attacks launched. A staggering 7 billion data records have been exposed since 2013.
Most often, and for the third straight year in a row, a hacker’s favorite mode of attack was via identity theft, and in 2016, identity theft was used for 1,050 data breaches – well over half of all the incidents and accounting for 58.6% of the total.
Identity theft most often occurs after cyber thieves are successful in infiltrating an organization’s network or point of sale (POS) system – via malware or malicious software – where sensitive customer information is stored. From credit cards to social security numbers, this valuable information is stolen, later to be sold on the black market. It’s a lucrative gig for hackers, which explains why there is no shortage of data breaches as well as why malware is the leading culprit for identity theft.
The many variants of malware
About 90% of all POS data breaches are due to malware, with five malware attacks occurring every second, or 170 million each year. There are many different types of malware with differences in how the varying malwares work. All of them, however, have the same intent – hacking into your POS system.
The Givex Corporation recently released their Guide to POS Security, describing the different malware strains, citing the organizations they target.
MalumPoS: MalumPoS malware can be reconfigured by cyber thieves to breach a wide range of POS systems. This malware disguises itself, making it seem harmless while it selectively looks for any data on Visa, MasterCard, American Express, Discover, and Diner’s Club cards. This malware commonly targets Oracle MICROS POS systems, which businesses use heavily within the hospitality, food and beverage, and retail industries.
Backoff: Backoff malware scrapes memory from running processes on targeted devices. It is a prevalent malware and has been planted on POS systems by cyber thieves, hitting Dairy Queen’s 395 stores and affecting 600,000 credit and debit cards.
vSkimmer: The vSkimmer malware targets POS systems using Windows OS to steal credit card information. This may all sound really technical but the bottom line is that this malware takes over a core part of Internet Explorer on Windows machines.
BlackPOS: BlackPOS a.k.a “Kaptoxa” targets POS systems with readers running Windows, discovering systems through automated Internet scans. Target’s massive data breach was due to BlackPOS, where 70 million records were stolen, causing a 46% drop in profits after the attack.
GamaPoS: GamaPoS removes credit card data from PoS systems by overpowering and infecting POS systems, launching a large volume of malware. Home Depot fell victim to GamaPoS, with 56 million customer debit and credit card numbers stolen and recovery costs over $200 million, with settlements still being determined today.
Encryption – the solution to malware
The damages mentioned in the malware attacks above prove that the implications caused by data breaches are vast and costly.
According to IBM and Ponemon Institute’s 2016 Cost of Data Breach Study, the average total cost of a data breach is now $4 million, with the cost per stolen record of $158. This marks a 29% increase in total cost per breach since 2013. The study also determined that one in four businesses would experience a data breach of 10,000 records or more during 2016.
As the numbers on data breach statistics continue to rise, the big question for 2017 becomes: how will organizations protect themselves from data breaches?
It is clear a new approach to data security is needed if organizations want to stay ahead of the attackers and more effectively protect their data, customer information and their bottom lines against data breaches in the future. Gemalto’s reports emphasizes three key steps to securing data.
It’s one thing to change mindsets. It’s another to implement a new approach to security across an organization. While there is no “one size fits all” prescription for achieving the “Secure Breach” reality, there are three steps that every company should take to mitigate the overall cost and adverse consequences that result from a security breach.”
- Encrypt all sensitive data at rest and in motion
- Securely store and manage all of your encryption keys
- Control access and authentication of users
Jason Hart, VP and CTO for Data Protection at Gemalto believes that “encryption and authentication are no longer ‘best practices’ but necessities.
Bluefin Payment System shares this belief in the importance of encrypting data. Bluefin’s PCI-validated P2PE solutions encrypt cardholder data, preventing clear-text cardholder data from being present in a merchant or enterprise’s system or network where it could be accessible in the event of a data breach.
Learn how Bluefin can help secure your data and your business from data breaches.