Last year, as part of our predictions for 2014 we said there would be one major data breach every month. At the time, many people said that our prediction was overly pessimistic. It was one prediction I would have been happy to have gotten wrong.
Unfortunately, I haven’t been proven wrong. We’ve seen major data breaches hit large institutions left and right. In many cases, these breaches have been due to attacks by point-of-sale (PoS) malware that hit these companies. In other cases, attackers got into their networks directly and stole the information of their users.
People may think that financial information is the most valuable information that can be lost, but that’s not always the case. Banks and other financial institutions are very good about not letting consumers eat the cost of financial fraud, so even if, say, your credit card number gets stolen and used by cybercriminals, you won’t have to bear the final cost.
In some ways, in fact, your personal information getting leaked is more dangerous. I can change my credit card easily, but unless I move I can’t change my address. Neither can I change my birthday. Personally identifiable information does not only identify the user, it is also frequently difficult, if not impossible, to change.
These kinds of attacks can be used to make future social engineering attacks “better”. For example, a future attack can now give me my address, phone number, and other personal information and sound more convincing. Many users will be fooled and fall victim to all sorts of attacks.
To many governments, it looks like companies are not protecting the information they have on their users. This may be why we’re seeing moves to impose regulations on how companies should protect the data of their users.
For example, in Europe, the new EU Data Protection Regulations could mean that companies could face severe fines if they were breached – fines of up to 100 million Euros. Other countries are imposing their own sets of regulations, with their own sets of penalties.
If you’re a company doing business in various countries, these will be some difficult times, as you will now have to cope with differing sets of rules and regulations, increasing the cost of compliance to your company.
There is a silver lining to this, however. Maybe when company directors everywhere realize the cost of being breached, they’ll finally approve putting in place Intrusion Detection Systems and the other tools needed in today’s threat landscape.