October 14, 2014

Data Breach Incidents: Are Mega Breaches Becoming the New Norm?

With data breaches so often in the news, it’s not surprising to read that since 2004 there have been over 300 data breaches involving the theft of 100,000 or more records each.

What is surprising however, is the rate at which these breaches have grown in size. 

According to the Internet Security Threat Report 2014 from Symantec Corporation, there were at least eight ‘mega breaches’ in 2013 compared to just one in 2012.

Mega breaches are defined as data breach incidents that cause the exposure of at least 10 million identities. But when you examine the numbers, ‘mega breaches’ often means 10’s of millions of identities.

Here are some examples.

Earlier this year, cyber thieves stole about 145 million usernames, passwords, phone numbers and addresses from eBay.  

In 2013, malicious software was used to steal account data from over 100 million customers at Target. Experian-owned Court Ventures made headlines with a security breach of as many as 200 million records. And, Adobe had a breach of 152 million records.

In 2009, a data breach at Heartland Payment Systems compromised 130 million records.

In 2007, T.J. Maxx was breached – and 100 million records were exposed.  

Most recently, Home Depot was targeted… and everyone’s waiting to find out how many millions of customers had their credit card information stolen.  

Computer hacking is to blame in almost two-thirds of reported incidents in 2013, according to the Executive’s Guide to 2013 Data Breach Trends. A range of online fraud and other schemes as well as snail mail, lost/stolen/missing documents, stolen laptops and computers, and improper disposal were to blame for the rest.

Companies have to do everything they can to reduce the risk of a data breach.  Here are some strategies:

  • Leadership. Companies need a strong security posture with comprehensive information security policies and procedures.  The appointment of a Chief Information Security Officer (CISO) has been shown to help reduce data breach incidents.
  • IT Security. Equip all computers, electronic devices, and networks with updated protection against security threats. This would include anti-virus software, encryption software, password protection, etc. 
  • Focus on employees. Regular staff training on safety protocols and policies is critical. Teach employees, including those using mobile devices, to maintain full control over all vital information, in and out of the office. Assign levels of security clearance according to job requirements.
  • Document management. From creation to disposal, all documents containing personally identifiable information must be securely handled. Shred everything on a regular basis (implement a shred all policy) to avoid the risk of error or poor judgement about what needs to be shredded. Hard drive destruction is also important to factor into your document management policy.
  • Physical protection. Create a secure environment in the workplace with visitor and employee ID protocols. A Clean Desk Policy secures paperwork and computer screens.
  • Security-minded partners. Ensure that associated vendors and business partners follow privacy laws and meet security standards. For example, professional document shredding services will make sure there are no security loopholes and will provide secure document destruction for both paper documents and electronic data.   
  • Security audits. Implement on-going risk analysis processes, and create a security policy that is designed to limit exposure to fraud and data breaches.

For information about the types of documents that need secure handling in a workplace, watch this video on information security.