A year ago, I was writing about the 575 million data records lost or stolen throughout 2013, a sum based on the data collected by the Breach Level Index that seemed astonishing at the time. The Target breach that happened at the end of that year stood out for me as the epitome of a changing infosec landscape, in which a breach not only caught the attention of industry experts, but also warranted weeks of mainstream media coverage.
Time changes everything. Unfortunately, in terms of breach occurrences, things didn’t improve in 2014. The number of data records lost or stolen somehow increased by approximately 78% year over year, with more than 1 billion records lost or stolen last year according to the Breach Level Index. That breaks down to 32 records lost or stolen every second of the year. There were 1,056 breach incidents in 2013. There were 1,541 in 2014, an approximately 46% increase. But the figure that really stands out to me is 4%; that’s the percentage of the all 2014 incidents that were “secure breaches” – those in which encryption was used to protect the data and render it useless after it was compromised.
Additionally, breaches continued to make headlines last year, picking up where the Target breach news left off. 2014 was the year hackers successfully attacked the payment data systems of Home Depot, stealing 109 million data records and registering a 10.0 on the Breach Level Index’s risk assessment scale. JP Morgan Chase likewise encountered a 10.0 breach, in which more than 80 million records were compromised. And then came the Sony Pictures Entertainment breach.
While it was low by the numbers in comparison to some other 2014 breaches – 47,000 records compromised – Sony’s breach stands out most to me. Employees were threatened, executives’ private emails were released, films still in theaters were leaked, and the theatrical release of a film with A-list stars and a $44 million budget, The Interview, was cancelled. The FBI was involved in an investigation that led to the conclusion that the attack originated in North Korea, and the breach and what it represented was so significant that President Obama personally addressed the nation in regards to the situation.
We continue to see the impact of that breach in 2015. Last week, Amy Pascal, the co-chairman of Sony at the time of the hack, stepped down following the above mentioned release of her private emails. And on February 10, 2015, just days ago, the White House called the Sony hack a “game changer” and announced the formation of a new agency, the Cyber Threat Intelligence Integration Center, to gather and analyze information about cyberthreats.
Take a moment to consider just how far-reaching the impact of one breach was socially, economically, and politically. Like Target, the Sony breach became the top story in the news, but it seemed like the cyberattack ripple effect increased exponentially at the end of 2014. A breach occurred, and the world changed.
Like many of us, I do my best to balance optimism with realistic expectations. I don’t think we can expect that a new perimeter security measure is coming that will keep determined cybercriminals from successfully breaching most organizations they target. I don’t anticipate the Sony breach to be the last to have history-making implications that may indirectly impact the lives of people around the globe.
As Tsion Gonen, chief strategy officer for Identity & Data Protection at Gemalto, recently wrote for The Hill: “It’s time that executives and information security professionals accept the fact that their companies will be breached and start thinking outside the box when it comes to data security.”
My hope is that in another year, if I’m writing about the billions of data records stolen in 2015, I’ll at least be able to say that the silver lining is the percentage of secure breaches increased and they stand as evidence that more companies followed Gonen’s advice.