Target’s 2013 cybersecurity breach captured the attention of average Americans in a way that no previous incident had before. Once it was clear the company’s CEO was a casualty of the breach fallout, it also gained the attention of chief executives and corporate boards. This concern was only heightened by the 2014 Sony breach that was extensive in both scope and embarrassment. The Sony incident redefined for many the types of data that can damage a company both directly and indirectly.
However, in 2014 it often seemed like cybersecurity breaches were still largely other people’s problems. It became clear in 2015 that breaches are everyone’s problems. The Anthem and Excellus breaches were a wake-up call to the healthcare industry and introduced consumers to the idea that their health data may be even more valuable to criminals than credit card information. The U.S. Office of Personnel Management (OPM) breach offered many lessons in what not to do in protecting against breaches and responding once they are discovered. It also helped many people realize that it is likely that everyone’s identity information is held by one or more foreign governments and criminal enterprises.
Beyond Records, Turning the Lights Out
December brought a different kind of wake-up call that few Americans have yet to absorb. Two Ukrainian power plants were taken down for several hours. To their credit, the power agencies worked quickly to manually bring electricity online. However, what if the outage had persisted? Losing electricity in the winter could mean no heat, no refrigerator, no communication. There is nothing more immediate and personal than interruption to your home life. Welcome to the next frontier of hacking. We knew it was there just around the corner. Now we have an example.
Implications of Big Breaches as the New Normal
2015 will mark the year that the “big breach” became a normal part of the news cycle. Consumers started to recognize the need to learn to live in a world where identity is compromised and companies need to operate with the understanding that information security is compromised. Psychology and common sense both suggest that you cannot deal with a problem until you recognize it exists. The cybersecurity problem became both personal and unavoidable in 2015. The question is how industry will react over 2016-17 to transition from a sense of helplessness to hopefully taking back control of their own fate.
Select Big Breaches by Month
| Month | Company | Records Exposed |
| January | Topface | 20M |
| Feb | Anthem | 78.8M |
| March | Premera | 11M |
| April | Ryanair Ltd | $5M stolen |
| Rakuten | 7.85M | |
| May | Gaana.com | 10M |
| June | OPM | 32M |
| July | Ashley Madison | 37M |
| UCLA Health Systems | 4.5M | |
| August | Carphone | 2.4M |
| Oct | Experian | 15M |
| Sept | Excellus BCBS | 10M |
| Scottrade | 4.6M | |
| 000webhost | 13M | |
| Nov | Vtech | 5M |
| Moneybookers & Neteller | 8.1M | |
| Dec | Voter Database | 191M |
| Steam | 125M |
The Monthly Numbers
| Month | # of Breaches | Corp | Govt | Records Exposed | Cost |
| Jan | 8 | 8 | 0 | 25,985,000 | $15,071,300 |
| Feb | 7 | 7 | 0 | 79,000,000 | $45,820,000 |
| March | 9 | 9 | 0 | 11,000,000 | $6,380,000 |
| April | 11 | 11 | 0 | 8,400,000 | $4,872,000 |
| May | 8 | 6 | 2 | 14,200,000 | $8,236,000 |
| June | 5 | 3 | 2 | 33,200,000 | $19,256,000 |
| July | 5 | 5 | 0 | 43,000,000 | $24,940,000 |
| Aug | 1 | 1 | 0 | 2,400,000 | $1,392,000 |
| Sept | 5 | 5 | 0 | 10,261,000 | $5,951,380 |
| Oct | 5 | 5 | 0 | 34,100,000 | $19,778,000 |
| Nov | 5 | 4 | 1 | 13,100,000 | $7,598,000 |
| Dec | 6 | 5 | 1 | 319,600,000 | $185,368,000 |
| 75 | 69 (92%) | 6 (8%) | 594,246,000 | $344,662,680 |
Note: Cost per breach uses the Verizon 2015 Data Breach Investigations Report average
Of course, this does not reflect all breaches. It only reflects the major breaches that were also publicly announced because customer personal information was exposed. Not every company is required to disclose breaches that don’t expose customer information.
The cost per breach is likely low as well. Verizon did some excellent analysis in its annual Data Breach Investigations Report, but they conclude that each situation is different even among companies with comparable numbers of records exposed. Because there is substantial variety in the breaches listed, we used Verizon’s average of $0.58. However, the estimate for Anthem is over $100 million. So it is plausible to conclude that these estimates could be much higher.
3 Most Significant Data Breaches
Our list of the most significant data breaches in 2015 doesn’t just consider records although that is a factor. The publicity and impact to the organization were also considered. Our top three list includes:
- Anthem BlueCross Blue Shield - The first large scale breach of personal medical histories and one that impacted nearly 80 million people. This was merely the first of several big hits to health insurers that included Excellus BlueCross BlueShield, Premera and UCLA Health System.
- Office of Personnel Management - A big story in terms of total records (32 million) and a realization of how much data the government stores on citizens. It also illuminated how government agencies can ignore admonitions from inspectors general and Congress without consequences. Well, sometimes there are consequences as the Director eventually lost her job. The incident also was the likely catalyst that led to this week’s announcement by President Obama that he was creating a new federal CISO post.
- Ashley Madison - This was particularly well covered because it exposed a fraud and included a salacious subject matter. However, it showed that any organization can be disrupted to the point where it could go out of business entirely and that Hacktavism can have serious consequences. Sentek Global suggests that 25% of breaches in 2014 were motivated by Hacktavism.
The Sentiment is Changing Quickly
Looking back, 2015 makes 2014 seem like the warm-up. There were still some people who may have thought 2014 was an aberration, but it is hard to believe that sentiment still lingers. The early targets ranging from financial services to government are already spending billions on information security. Expect that trend to take hold across all industries in 2016-17.
By Scott Raspa