In IT security, worst case scenarios became commonplace in 2014, and there’s no end in sight. Headline-making data breaches will likely continue into this year, as businesses, governments and regulators play catch-up to this threat.
The nature of the attacks is changing as well, according to Gemalto, a digital security firm. Records that help criminals with identity theft, which is harder to catch and stop, are the leading goal of attackers. The recently disclosed breach of 80 million records at Anthem, the health insurer, was an identity theft attack.
Gemalto, in its annual Breach Level Index report (see PDF) released Thursday, said there were, globally, 1,514 breach incidents that became public, with the number of records compromised exceeding 1 billion.
In terms of number of records breached, 2014 represented a 78% increase over the prior year.
Gemalto collects its data from public sources, and despite the vagaries of this type of data collection, it believes the report reflects what is happening on a year-to-year basis. “Breach notification laws didn’t change dramatically,” said Tsion Gonen, chief strategy officer for identity and data protection at Gemalto.
Mega breaches are the defining trend, exposing tens of millions of records of brand-name companies last year, including Home Depot, with 109 million records breached, eBay, at 145 million, and JP Morgan Chase at 83 million.
Identity theft accounted for 54% of the attacks, which is up 20% from 2013.
The rise of identity theft, said Gonen, is a result of the success of financial services firms in quickly stopping financial access crimes, such as credit card fraud. That’s not the case for identity theft, which will require regulatory approaches to curb, he said.
Gemalto came up with a 1-to-10 ranking system, determined by an algorithm, for breaches. The system is weighted toward the “outbound,” impact, or impact on customers, especially if the data is unencrypted. That ranking system gave,Home Depot, JP Morgan Chase, and eBay scores of 10, while Sony, which generated worldwide press with its released emails and stolen digital content, received a 6.5 ranking, since much of the damage was to Sony itself.
Malicious outsiders accounted for 55% of the breach incidents, while the next largest source is human error, at 25%. The human error problems include improperly secured Web sites that allow access to customer data and lost laptops. A company's decision not to encrypt customer data is not counted as human error.
Gonen said 2014 will be remembered as a tipping point in IT security. He said security awareness is the highest it has ever been, and points to recent moves by President Obama to seek security legislation and new levels of cooperation with the private sector.
“Everyone is aware,” said Gonen of the risks, “everybody gets it.”