Sony, Epsilon Security Breaches Preventable: Report
Protegrity, a provider of end-to-end data security solutions, published a report analyzing the recent data breaches at Epsilon, Sony and Citigroup. The report, titled "It’s Not Just About Credit Card Numbers Anymore," highlights the growing trend of hackers targeting personally identifiable information (PII) such as email addresses and passwords, as opposed to financial information, and offers advice on how these data breaches could have been prevented.
"Data breaches are spiraling out of control, and companies like Sony, Citi and Epsilon are finding out just how expensive it is to not protect customer data properly," stated Suni Munshani, CEO of Protegrity and author of the report. "The right combination of data security solutions like tokenization and consistent security policies would have prevented all of the three data breaches mentioned in the report and saved those companies tens of millions of dollars in damages and litigation."
The report also examines the best data security approaches and how companies can implement them to ensure that they will not fall victim to a data breach in the future. Highlights of the report include a detailed look into the Epsilon, Sony and Citigroup data breaches; best practices for protecting financial information and PII; and why tokenization is the best way to protect all data types.
"In the case of the Epsilon (the largest distributor of permission-based email in the world) and Sony breaches, the thieves acquired exactly the kind of information that allowed them to abuse this trust—email addresses and first names of people who had opted in to receive information from specific organizations," the report noted. "So when a user receives a nicely formatted email that’s not only personalized but comes from a site he or she registered with, there’s a good chance they’ll click links and answer questions they might not have done had the request arrived in a less familiar form."
According to the 2011 edition of Verizon’s annual Data Breach Investigation Report, conducted in cooperation with the U.S. Secret Service, 92 percent of all data breaches were the result of penetration of corporate defenses by external attacks, up 22 percent from the previous year’s report. The most surprising data to emerge from this report was that 96 percent of them were estimated to have been preventable without difficult or expensive corrective action, as 92 percent of attacks were relatively unsophisticated.
The Ponemon Institute also regularly conducts surveys around the state of data security. In 2009, the latest period for which breach cost data is available, Ponemon found that the cost of a data breach per compromised record was $204, with legal defense costs up by more than 50 percent as a factor in those costs. Even more interesting perhaps was the discovery that financial institutions no longer represented the highest cost by industry, indicating that criminals had discovered easier prey.