2015 Data Breaches – The Year In Review
Author: Greg Johnson, Vice President of Business Development at A-LIGN.
Data breach was alive and well in 2015 with some of the largest breaches in history occurring last year. The Office of Personnel Management (OPM), or in other words our Federal Government, was hacked to the tune of 21.5 million records. 80 million records were hacked from Anthem by a Chinese hacker group known as Deep Panda. Just two weeks ago, Alliance Technical Services of Huntington Beach was hacked.
Surprisingly, I have seen a downward trend since 2013. The data in this article, it should be noted, was taken from the Privacy Rights Clearinghouse1. The PRC has been tracking publicly reported data breaches since 2005, and has grown to encompass data approaching one billion data breaches.
It should also be noted that the data from the PRC is representative of what I believe to be only just that – a representation – of data breaches in North America. These are only those which were publicly reported. In a previous company, I interfaced with compromised merchants for many years, and in researching previous data breaches found that some are not in this data set. Hence, these numbers are not all encompassing. I believe however the trends I found are representative of the larger data set.
Key Data Points
Here are some highlights of the data I reviewed from 2015, along with comparative data from 2013 and 2014, followed by the actual numbers as well as a graphical representation by category.
- Total data breaches tracked for 2015 equal 201. The surprising factor is that this is slightly less than a third of data breaches reported in 2013, which topped 623. Not to be deemed coincidental, 2014 also showed a marked decrease, down to 297 total breaches from 2013, thus showing a steady downward trend.
- The data set includes General Business (BSO), Financial and Insurance (BSF), Retail/Merchants (BSR), Educational Institutions (EDU), Government and Military (GOV), Healthcare (MED), and Nonprofit Organizations (NGO).
- Data breach in the general business category remained relatively constant from 2013 to 2015 (this excludes Retail/Merchants and Financial/Insurance services.)
- Merchant and Healthcare breaches experienced dramatic decline.
Breach numbers by category:
Any data breach is one too many, and clearly too many still occur. It is encouraging however that breaches in key merchant and healthcare sectors seem to be in decline. Perhaps this is due to maturing PCI and HIPAA guidelines and practices, as well as enhanced security awareness and buy-in.
To continue this downward trend, businesses would do well to ensure the following on an annual basis:
- Arrange for an annual penetration test from a qualified, experienced security company.
- Implement a written information security policy which includes firewall policies, firewall change and access control, incident response and succession contingencies.
- Become compliant with applicable compliance guidelines such as PCI, HIPAA, SOC, ISO 27001, and others. This may involve hiring a qualified entity to perform a readiness assessment or provide consulting.
- Hire or contract with information security personnel to develop a culture of cyber security.
Will 2016 bring a continued reduction in data compromise? The above will not guarantee it, but will make it more difficult for malevolent parties to find low hanging fruit. What about the expanding mobile universe? A year from now my article may be very different – hopefully the trend continues.