Protegrity,
a provider of end-to-end data security solutions, published a report analyzing
the recent data breaches at Epsilon, Sony and Citigroup. The report, titled
“It’s Not Just About Credit Card Numbers Anymore,” highlights the growing trend
of hackers targeting personally identifiable information (PII) such as email
addresses and passwords, as opposed to financial information, and offers advice
on how these data breaches could have been prevented.
“Data
breaches are spiraling out of control, and companies like Sony, Citi and
Epsilon are finding out just how expensive it is to not protect customer data
properly,” stated Suni Munshani, CEO of Protegrity and author of the report.
“The right combination of data security solutions like tokenization and consistent
security policies would have prevented all of the three data breaches mentioned
in the report and saved those companies tens of millions of dollars in damages
and litigation.”
The
report also examines the best data security approaches and how companies can
implement them to ensure that they will not fall victim to a data breach in the
future. Highlights of the report include a detailed look into the Epsilon, Sony
and Citigroup data breaches; best practices for protecting financial
information and PII; and why tokenization is the best way to protect all data
types.
“In
the case of the Epsilon (the largest distributor of permission-based email in
the world) and Sony breaches, the thieves acquired exactly the kind of
information that allowed them to abuse this trust—email addresses and first
names of people who had opted in to receive information from specific
organizations,” the report noted. “So when a user receives a nicely formatted
email that’s not only personalized but comes from a site he or she registered
with, there’s a good chance they’ll click links and answer questions they might
not have done had the request arrived in a less familiar form.”
According
to the 2011 edition of Verizon’s annual Data Breach Investigation Report,
conducted in cooperation with the U.S. Secret Service, 92 percent of all data
breaches were the result of penetration of corporate defenses by external
attacks, up 22 percent from the previous year’s report. The most surprising
data to emerge from this report was that 96 percent of them were estimated to
have been preventable without difficult or expensive corrective action, as 92
percent of attacks were relatively unsophisticated.
The
Ponemon Institute also regularly conducts surveys around the state of data
security. In 2009, the latest period for which breach cost data is available,
Ponemon found that the cost of a data breach per compromised record was $204,
with legal defense costs up by more than 50 percent as a factor in those costs.
Even more interesting perhaps was the discovery that financial institutions no
longer represented the highest cost by industry, indicating that criminals had
discovered easier prey.