"Today, it's rapidly shifting to an imperative -- auditors look for it, regulators demand it, and customers expect it. Cost is no longer the limiting factor -- boards are willing to spend money to steer clear of the wrong kind of news coverage. The limiting factor is complexity -- you can't segment what you can't map, and too many organizations have effectively lost the blueprints of the infrastructure they run their businesses on," he explained.
By far, the most common record type exposed in 2014 were passwords, followed by usernames, email addresses, and PII (name, address, SSN, DOB, phone number, etc.). When it comes to medical records and financials (credit cards), the volume is much lower -- less than ten percent in each instance - but larger than previous years.
Criminals are starting to favor PII over financial information, because it's easier to sell and leverage. To put it simply, the banks are making it harder to use stolen credit card details due to anti-fraud advancements.
Michele Borovac, VP at HyTrust, pointed out that while it's relatively easy to cancel a credit card, it's much harder to track down and recover your identity if it's stolen.
"Attackers with a few pieces of personal information can parlay that data into new credit card applications, online account access and many other nefarious -- but lucrative -- activities," Borovac said.
There are plenty of examples to examine when it comes to data breaches in 2014, but some cases standout above the others. Looking back, there were two notable incidents in South Korea this year. One of them occurred due to a malicious insider, the other due to external influence.
The first incident happened in January; 104 million credit cards and 20 million records containing PII (names, Tax ID, etc.) were compromised by a worker at the Korea Credit Bureau. According to reports, the insider abused their access and copied the records to an external drive, with the intent to sell them.
The second incident happened in August. A hacker from China, along with more than a dozen others, compromised 220 million records by targeting website registrations for various games and online gambling promotions, ringtone storefronts, and movie ticketing. At scale, the incident impacted 27 million people aged 15-65, which is about 70 percent of the nation's population.
In May, eBay said that attackers compromised staff credentials and accessed a user database. As a result, the incident impacted 145 million people. While no financial information was compromised, the attackers were able view (at the very least) PII, including names, email addresses, home addresses, dates of birth, and phone numbers. Passwords are also at risk, but those were salted and hashed. Out of caution, eBay asked that all users change their passwords immediately, and warned them against Phishing scams.
Sign up for Computerworld eNewsletters.