Data breaches have been on a general upward trend since the huge growth of technological devices.
As we continue developing the digital era – where the use of technology is seen as the norm – data breaches are also becoming the norm too.
Data breaches have affected companies of all sizes due to the increasing reliance on digital data and using technological devices for convenience. With confidential and sensitive data stored on machines or cloud connections, it’s become easier to breach data through breaking in to networks.
With technology being one of the contributing factors for data breaches, we mustn’t forget that data breaches existed long before the growth of digital data. Looking at an individual’s private information without authorisation can be deemed as a data breach, but technology has no doubt exacerbated the situation.
Cybercrime isn’t the only worry when it comes to data breaches, as data breaches may be intentional or unintentional.
The Information Commissioner’s Office, the U.K’s independent authority responsible for upholding information rights in the public interest and data privacy for individuals, defines a personal data breach as:
“…a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”
Though general data breaches have been on a steady rise, Experian notes in their fourth annual Data Breach Industry Forecast five data breach trends that will dominate 2017:
This type of data breach is sometimes likened to an earthquake “aftershock” where the effects are felt long after the initial disaster e.g. literally aftershock tremors, or perhaps earthquakes causing a tsunami, and rescue long term efforts of trying to rebuild the impacted area.
It was an emerging trend in 2016, and experts suggest that this kind of breach will likely ricochet in 2017. Following big breaches of LinkedIn, Dropbox, and Yahoo accounts in 2012 and 2014, the personal details of billions of people have resurfaced on the dark web. The risk for users increases far beyond the breach itself, as personal data that is breached can have an impact on an individual for years.
Many people are in the habit of reusing email addresses and passwords. If hackers have access to one account, what stops them from hacking into multiple accounts? This could compromise other personal information such as financial information – perhaps if the user stored card information on their online accounts for things like PayPal, or any online retailer for that matter.
Experian likens the impact of this kind of breach as if a company had lost the information from the outset; which is a fair point.
To mitigate losses, companies should strongly advocate the use of two-factor authentication to verify uses. This could take away the problem of passwords being reused. Secondary authentication could include methods such as sending a text message to confirm the authenticity of the user. This technique is already widely used by Apple.
Experian also notes that companies should account for “aftershock” breaches the same way they do with traditional breaches. If they don’t take up such advice, many companies and their users may easily fall victim to more vicious attacks. This is the case as attackers can take the same approach in their attack but could take even more sensitive information such as medical information.
Experian highlighted this type of attack in its third annual Data Breach Industry Forecast paper in 2016. They noted that as States continue to move their conflicts and espionage efforts to the digital world, there’ll be more instances where corporate and government secrets are uncovered, as well as military operations being hampered. This is only likely to increase as conflicts between countries increase too.
The Office of Personnel Management (OPM) data breach is an example of this kind of attack. In June 2015, the OPM announced that four million people had been targeted. However, FBI Director James Comey, estimated the figure to be around 18 million. Some called it among one of the largest breaches of government data in the history of the U.S. The information targeted included Social Security numbers, names, dates of birth, and addresses. The breach is thought to have been motivated by gaining intelligence on the U.S.
The issue of state-sponsored cyber-attacks also came into play during the U.S. presidential campaign last year. Both Trump and Clinton expressed that cyber weapons would be used in retaliation to alleged targeted cyber-attacks by foreign nations. With both being in favour of such use, this makes me believe that cyber-warfare attacks against the U.S. will be on an upward trend this year.
Until there is an international framework in place, citizens and their personal information could be caught in the crossfire. Experian predicts that the U.S. will launch at least one major cyber-operation against terrorist organisation like ISIS or in retaliation for an attack by another nation e.g. Russia.
Healthcare hacks and/or breaches
Experian believes that the healthcare sector will be at most risk of data breaches as new and sophisticated attacks are emerging. It’s well known that medical identity theft is lucrative and fairly easy for cyber-criminals to exploit.
Medical information remains one of the most valuable types of data for attackers to steal. Reuters reports that credit card details could go for $1 per patient whereas medical records could go for ten times that amount. As medical records are something that we do not have easy access to, it is much harder to detect a potential threat to hacking. Whereas, with credit card accounts, we can access it daily via online or telephone banking.
Unfortunately, there exists a market for reselling medical information; e.g. on the darkweb.
It’s likely that electronic health records (EHR) are going to be the new target for cyber-attackers. The portable nature of this information increases the vulnerability of the data as there are multiple entrance points to access the data. While there are cybersecurity systems in place, it only takes one bug or outdated system to expose personal data.
The threat remains with ransomware attacks. Cyber-attackers may opt for this method as it presents an easier and safer way for hackers to get money. As ransomware causes a massive disruption to a company, most organisations will find paying the ransom to be the easiest solution.
To prevent such attacks, healthcare organisations need to be equipped with up-to-date security measures, which should include any response plans should a ransomware attack take place.
Cyber-criminals will focus on payment-based attacks
Although the EMV Chip and Pin liability shift took place over a year ago, it hasn’t put an end to payment breaches. Experian believes that this type of breach will only grow this year. Attackers are using new technologies to steal payment cards through Point-of-Sale (POS) skimmers. These skimmers are fraud devices that have been used for years, which are made to tap card information and PIN numbers at the tills. I believe this is on an upward trend due to the unparalleled growth in self-service tills.
It’s crucial for companies that have yet to adopt the EMV Chip and Pin system to do so with urgency. Retail companies and their customers need to remain diligent during this time. They must also remember that cybersecurity may prevent some fraudulent activity, but it will never deter cyber-criminals.
International data breaches
Experian predicts that this type of data breach will cause the largest loss of international consumers’ data. There could also be a perception that international data breaches are on the rise due to the General Data Protection Regulation (GDPR) that is due to come into force on 25 May 2018. When the GDPR is in effect, companies that handle EU citizens’ data must report breaches within 72 hours. This could create more pressure on companies; however, at the same time, there may be greater consumer awareness on when their data is breached.
Many companies are apparently not equipped to deal with international data breaches. According to a study from the Ponemon Institute, 42 per cent of companies haven’t included processes in their incident response plans to reflect this. To ensure they’re adequately prepared, companies need to test their systems prior to the new regulation coming into force.
Globally, the U.K. is ranked behind the U.S. for data breaches. Companies should be cautious about their relaxed attitudes in regards to cybersecurity because of the Data Protection Act and the fines imposed by the Information Commissioner’s Office that could heavily effect their financial resources and reputation. With the GDPR coming into effect soon, companies will have to tighten their cybersecurity systems and ensure that they have adequate response plans in place.
In the meantime, there appears to be no stopping cyber-attackers. This is evident in 15 of the most infamous data breaches in the U.K.
Sources and additional reading:
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a call back from our team
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with an * are required.