A Decade of Data Breaches: Facts and Myths

A new report that analyzes 10 years of data breach information reveals that the disclosure of such breaches began to decline in 2014. There were less than 400 reported incidents that year, compared with more than 500 a year from 2010 through 2013.

However, this decline is not necessarily a positive indicator, according to Christopher Budd, threat communications manager with Trend Micro, the global cloud security company that issued the report, “Follow the Data: Dissecting Data Breaches and Debunking Myths.”

“It’s hard to determine if that is an anomaly or the start of a new trend,” Budd says.”2014 may have had few disclosures, but we had the Target, the Neiman Marcus and the Michaels breaches, for instance. In 2015, we have had several Blue Cross Blue Shields that already said they’ve been hit. We have OPM [U.S. Office of Personnel Management].

“While the total number of incidents may be dropping, it doesn’t mean that these are good. It may mean that we are looking at fewer worse incidents instead of many moderate incidents.”

Health Care Industry Is Attacked the Most

According to the report, which analyzed Privacy Rights Clearinghouse data breach records from 2005 to April 2015, hacking and malware was responsible for 25 percent of all data breach incidents over that time. Health care was the most impacted industry, followed by the government and retail sectors. Identify theft also occurred most frequently in the health care industry, at 29.8 percent, compared with retail at 15.9 percent and education at 10.9 percent.

“I would [compare] attacks like this [to] ants at a picnic,” Budd says. “The ants are going to go where the food is. When it comes to personal information, I would say that health information providers have the best store of information to target.” These organizations store social security numbers, addresses, dates of births and other types of personal information for individuals and entire families.

Trend Micro’s research also reveals that the average price of personally identifiable information (PII) dropped from approximately $4 per line in 2014 to $1 in 2015 in U.S. currency. Other information that has become much hotter in terms of market commodities includes various mobile phone operator accounts, which are selling in the U.S. at about $14 each, and information on eBay and PayPal accounts, which can fetch about $300 U.S. each, the analysis shows.

The report also reveals information about the likelihood of specific information being stolen, given that other data was already taken. For example, if someone’s financial data was stolen, there is a 73.33 percent probability that their PII was also taken. And if PII was taken, there’s a 21.8 percent probability that financial data was taken. Budd says this type of information could be valuable in alerting companies and individuals about other areas to be aware of in terms of breaches.