Another year came and went and the breach statistics were once again smashed by a raft of data compromises and thefts across the private and public sectors. According to the Identity Theft Resource Center, the number of compromised records more than doubled from 2014 to 2015. And Ponemon Institute estimates that the cost of those breaches just keeps rising--6 percent over the past year.
Interestingly, though, the undertones and implications of these breaches are morphing. In years past the news has been about the volume of personally identifiable information stolen. Whether it was the number of addresses, birthdates, credit card numbers, social security numbers or bank accounts stolen, the shocks always came in the sheer quantity of accounts impacted. Mega data breaches like those at TJX, Target and Sony exposed tens or hundreds of millions of accounts at a time and revealed massive negligence in the way organizations went about securing these massive information stores.
But something started to change last year. Regulatory pressure around these specific types of data sets has spurred slow but steady improvement, with many compliance efforts at enterprises removing them as low hanging fruit and making wholesale database theft a little bit trickier. In response, attackers are refining not just their methods but also the data they target.
Sure, there were still plenty of numerically significant exposures of PII, but last year saw the impact of data theft start to be measured in more palpable ways. People's health information was exposed, their children's privacy was put at risk and even their darkest bedroom secrets were uncovered. These are things that can't be easily encapsulated in spiffy infographics, but the reach and severity of their affects are far more REAL to victims than credit card losses that'll be paid out by the banks anyway. It's not just accounts impacted, it’s the fabric of peoples’ lives that are feeling the ripple-effects.
Think about the breach of Ashley Madison, for instance. According to some divorce attorneys, there was a measurable uptick in divorce filings after this cheaters' dating site had its rosters exposed to name and shame customers. While it may be hard to take pity on these people, the lesson should be seen by one and all that the right kind of information can have much deeper consequences than people previously imagined.
This lesson was further driven home with the news last year of the U.S. government's Office of Personnel Management (OPM) breach. This is the office of the government tasked with running background checks and vetting people for security clearances. Not only were a large number of people's files stolen, but what was in those files was remarkably sensitive. They included people's sexual proclivities, their daily habits, people they knew, transactions they made and just about everything in between. As many experts have explained, these files are essentially an extortionist’s dream. According to some, the impact of this breach will last for as many as forty years, until most of those impacted retire.
In the face of this kind of breach, the standard breach response just seems so antiquated and inadequate. Offering a mea culpa and some free identity protection does squat for the victims.
The nature of breaches is also running deeper through the supply chain, with more and more worrying implications for the enterprise. We closed out 2015 with one of the most troubling breach notifications of them all. Juniper Networks informed customers of its ScreenOS-powered firewall that a previously unidentified backdoor had been inserted into the source code of this software without authorization. Prevailing theory has been that it was placed there by a nation state or advanced attacker to give them essentially unfettered and untraceable access to just about any business network utilizing these Juniper firewall products.
The moral to all of these stories is that while the age of the mega breach might not be quite over, the worst breaches in the coming year may have nothing to do with credit card numbers. Security teams need to be cognizant of the fact that as important as it has been to lock down access to compliance-defined PII, attackers are looking for more than credit card numbers. In 2016, expect this trend to continue.