Secure computing image

Three Myths about Data Breaches Debunked

Most data breaches are the result of cyberattacks, right? Well, not really. A researcher has debunked this common myth and several others.

When it comes to data breaches, it can be hard to sort fact from fiction. Fortunately, a Trend Micro researcher scrutinized a decade’s worth of data breach information in an effort to debunk the myths. Knowing the facts about data breaches can help you develop better strategies to defend against them.

Here are three common myths that have been debunked:

1. Most Data Breaches Are the Result of Cyberattacks

The Myth: If you were to ask people about the leading cause of data breaches, they would likely tell you that cyberattacks are to blame. After all, the news is full of stories about cybercriminals stealing millions of data records from the U.S. Office of Personnel Management, Anthem, Premera Blue, and other organizations.

The Truth: Most data breaches are not due to cyberattacks. The leading cause of data breaches is the loss or theft of portable devices (e.g., thumb drives, laptops), physical records (e.g., files, receipts), and stationary devices (e.g., desktop computers, servers). They account for 41 percent of all reported data breaches between 2005 and 2015. In comparison, cyberattacks are to blame for only 25 percent of the data breaches during this timeframe. Other causes include sensitive data being accidentally exposed through mistakes or negligence (17.4 percent), insider leaks (12.0 percent), and payment card data stolen with physical skimming devices (1.4 percent). The cause was unknown in the remaining 3.2 percent of the data breaches.

The Takeaway: While defending against cyberattacks is important, you need to implement other types of security measures as well. Creating policies that govern how employees should handle sensitive data and educating employees about those policies can go a long way in preventing data breaches caused by lost or stolen devices, mistakes, and negligence. It is also a good idea to take advantage of data encryption software, remote wiping technologies, Global Positioning System (GPS) tracking, and other tools to protect data on mobile devices.

2. Most Cybercriminals Seek Personal Information Because It Is in High Demand

The Myth: Cybercriminals mainly try to steal personal information because it pays the most in the underground markets where criminals purchase breached data.

The Truth: In the underground markets, personal information is commonly sold on a per-record basis, where each line contains a victim’s name, address, birthdate, identification number (e.g., Social Security number), and other information. Criminals often purchase these lines to commit identity fraud. Cybercriminals are not getting much money for this personal information anymore. The price has dropped significantly, from $4 a record in 2014 to $1 a record in 2015. A big surplus of this type of data is responsible for the drop in price.

Bank account credentials command some of the highest prices in the underground markets. The credentials for one bank account can cost between $200 and $500 if they come with the account’s balance. The larger the available balance in an account, the higher the selling price. Other account credentials are also desirable, including those for PayPal, FedEx, and Google Voice.

The Takeaway: While protecting personal information is crucial, you also need to protect the credentials you use to access systems, services, and bank accounts. For maximum security, you and your staff should use strong account passwords and change them periodically. Using a password manager will help everyone avoid the temptation of writing them down.

3. Retailers Are at the Highest Risk for Data Breaches

The Myth: Retailers experience the most data breaches because they handle a lot of credit and debit card transactions.

The Truth: Between 2005 and 2015, many prominent retailers have experienced data breaches, including Target, Neiman Marcus, Home Depot, Staples, and eBay. However, it is the healthcare sector and not the retail industry that has experienced the most data breaches during this time. Here is the breakdown of the data breaches by sector:

  • Healthcare (26.9 percent)
  • Education (16.8 percent)
  • Government (15.9 percent)
  • Retail (12.5 percent)
  • Financial (9.2 percent)
  • Service (3.5 percent)
  • Banking (2.8 percent)
  • Technology (2.6 percent)
  • Insurance (1.6 percent)
  • Media (1.4 percent)
  • Other industries (6.8 percent)

The Takeaway: Organizations in just about every sector are susceptible to data breaches. Thus, you need to take data breaches seriously and develop strategies to defend against them.

More Myths Debunked

Learn about other data breach myths in the Trend Micro researcher’s report “Follow the Data: Dissecting Data Breaches and Debunking the Myths.” The researcher analyzed data breach incidents that occurred between January 2005 and April 2015. Information about these incidents came from the Privacy Rights Clearinghouse. This nonprofit group compiles this data from a variety of sources, including media coverage, Office of the U.S. Attorney General press releases, company press releases, and privacy websites.