We can all recall some of the biggest data breaches in recent history. The 100 million records stolen by T.J. Maxx attackers in 2007 comes to mind. Of course, as do the more recent attacks on U.S. retailers Home Depot (109 million) and Target (110 million). Also, what about the 130 million customers affected by the Heartland Payment Systems breach in 2009, or the 145 million eBay users hit by a major compromise last year?
The problem is, when we read about these incidents the focus tends to be on the companies themselves, their customers and how they’re likely to be affected in the aftermath.
While there’s nothing wrong with that in and of itself, it might be useful to take a look at the data itself: what was stolen, why was it stolen and where does ends up? With these answers, organizations can then begin to better understand and defend against their attackers.
What’s being stolen?
This was one of the main drivers behind a new Trend Micro report, Follow the Data: Dissecting Data Breaches and Debunking the Myths. In it, we analyze a wealth of data from publicly disclosed breaches in the U.S., as collated by California non-profit the Privacy Rights Clearinghouse (PRC), between 2005 and 2015.
Although it varied by industry, we found, in general, personally identifiable information (PII) – names, addresses, social security numbers, dates of birth, phone numbers, etc. – was the most popular data type stolen over the past decade. But there are two caveats:
Even credit card data has been oversupplied thanks to the sheer volume of data breaches over the past year. This has meant that sellers are no longer differentiating on price according to the brand of card.
In short, the cybercrime underground is a complex and ever-changing ecosystem where market dynamics can quickly alter the data types in demand. A good example of that is Uber accounts, which have become incredibly popular within the online black market lately, as they can be fraudulently charged with phantom rides made by the hacker/‘driver.’
Some Critical Security Controls
The figures from the last decade leave us with one concrete take-away – No matter what kind of data your organization handles, it’s at risk of theft by cybercriminals. How you mitigate this risk will depend on the size of your organization, your budget and what measures you already have in place. Check out the report for a full list of industry best practice critical security controls.
However, a good place to start includes:
Click here to read Trend Micro’s two reports: Follow the Data: Dissecting Data Breaches and Debunking the Myths and Follow the Data: Analyzing Breaches by Industry.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.