Out-Law / Your Daily Need-To-Know

Security firm warns of increased data breach secrecy amidst rising incident numbers

14 Apr 2015, 4:51 pm

The number of data breaches uncovered by a security software company's annual survey rose by 23% in 2014. The fact that the number of exposed identities dropped could mean that companies are keeping more information about breaches secret, survey publisher Symantec said.

The retail industry was the focus of increased activity by those seeking to expose data, Symantec's survey (120-page / 7.6MB PDF) said,

"While there were fewer 'mega breaches' in 2014, data breaches are still a significant issue," the survey said. "The number of breaches increased 23% and attackers were responsible for the majority of these breaches."

"Fewer identities were reported exposed in 2014, in part due to fewer companies reporting this metric when disclosing that a breach took place. This could indicate that many breaches— perhaps the majority—go unreported or undetected," it said.

Symantec found that the proportion of organisations which suffered breaches but did not report them rose from 13% in 2013 to 20% in 2014.

"It’s difficult to definitively explain why this information is not being shared publicly. In some cases it’s possible the organizations find it too challenging to determine the number of identities exposed. In others, this information likely remains undisclosed to help save face in what clearly has a negative impact on an organization’s public reputation," the survey said. "What is most concerning, however, is this trend could point to a situation where a large number of breaches are not being disclosed to the public at all."

"While there are many industries, such as healthcare and some government organisations where a breach must legally be reported, most industries do not have such laws," it said. "As a result, some organisations may decide to withhold information about a breach to protect their reputations, and they do not face penalties as a result. This may change in the coming years, as many governing agencies around the world are already looking at bringing in regulation surrounding the proper disclosure of data breaches."

The survey found that 49% of incidents where personal data is exposed were due to attacks from outside an organisation. The rest were due to loss or theft of equipment; accidental releases of data, or action by insiders.

Though there was a reduction in each category it was still the case that accidental release of information accounted for 22% of incidents and theft or loss of equipment for 21%.

"People’s personal and financial information continues to command high prices on the black market, and that means cybercriminals will continue to target major institutions for large scores and small companies for small, easy ones," the survey said. "Many breaches are preventable with the right security measures, including elements such as data loss prevention, encryption, and intrusion detection systems, as well as with effective security policies and training."