You learn a lot about emerging and evolving risks when you help more than 3,000 organizations manage breaches of all kinds, as the Experian Data Breach Resolution team did in 2014. We shared many of our insights in our Second Annual Data Breach Industry Forecast, and recent headlines support many of the predictions we’ve made.
In our report, we foresaw the rise and fall of payments breaches in 2015, and the year started off with news of two payments incursions at two very different companies. In mid-February, Softpedia reported the online games website BigFish Games discovered cyber criminals planted malware on its billing and payments pages to steal information from people signing up for new accounts. The information may have included names, addresses, card numbers, expiration dates and CVV2 numbers – basically everything a crook needs to make unauthorized online purchases in the victim’s name. BigFish Games has offered a year of free identity theft protection to affected customers.
Also in January, the upscale French Lick Resort in Indiana reported its payment system had been breached by malware, and credit card information of anyone who checked into the resort between April 23, 2014 and Jan. 21 of this year may have had their information compromised, IndyStar.com reported.
We also predicted that hackers will increasingly target cloud data. On Feb. 5, The International Business Times reported that a hack of Anthem Inc., the nation’s second-largest health insurer, has been traced to a cloud service outside the company. The cyber criminals who perpetrated the breach apparently stole a staggering volume of data – tens of millions of Social Security numbers, birth dates, names and addresses. The Anthem breach also correlates to another of our predictions: the continued growth of healthcare breaches.
An excellent round-up of recent healthcare breaches on Becker’s Hospital Review website illustrates the scope of this ever-growing type of breach and the myriad ways in which they can occur. Writer Akanksha Jayanthi lists eight recent breaches that range from a laptop with sensitive data on it being stolen from a hospital in Moreno Valley, California, to the Department of Veterans Affairs discovering a flaw in a patient database managed by an outside vendor.
Accountability is another trend we foresee in 2015, and in his January State of the Union address, President Obama proposed multiple pieces of legislation that speak to data breaches and greater accountability, including the Personal Data Notification and Protection Act. Among the proposed law’s provisions: businesses that use, access, store, collect or dispose of personal information for 10,000 or more people during any 12-month period must notify affected persons of a breach within 30 days of discovering it; and notifications must contain specific details about what information was compromised, an 800 number for questions and numbers for the major credit reporting agencies. The legislation, which does not detail penalties for companies that fail to meet its requirements, is an attempt to standardize data breach notifications. Right now, 47 states, the District of Columbia and three U.S. possessions all have their own data breach notification laws, according to the National Conference of State Legislatures.
While awareness of external risks appears to be growing, there is still work to be done on addressing threats from within organizations – which is why we also predicted that in 2015 employees will be companies’ biggest threat. On Valentine’s Day, Voice of America reported that Russian security firm Kaspersky Labs said it has been working with international authorities to investigate a global cyber-attack that may have stolen as much as $1 billion from financial institutions around the world over a two-year period. The hackers gained access to FI systems, stealing directly from the banks rather than their customers, by sending emails containing malware to select bank employees. When the employee opened the malicious files, the hackers could gain access to the institution’s systems. This story illustrates why we believe employee negligence will continue to be the leading cause of security incidents in 2015.
Finally, in January, cyber security organization ProofPoint released a statement saying it had discovered what might be the first-ever proven cyber-attack via the Internet of Things. ProofPoint said the attack occurred between Dec. 23, 2013 and Jan. 6, 2014, and used a variety of devices to send malicious emails to people and businesses around the world. More than a quarter of the 300,000 or so emails sent daily were issued from items other than laptops, desktops and mobile devices, the company said. These included home-network routers, Internet-connected multi-media centers, TVs and even a refrigerator.
The year is still young and protecting your business from cyber-attacks of all kinds is more vital than ever. For more insight into these trends, download the 2015 Second Annual Data Breach Industry Forecast.