Posts Tagged ‘PCI’

Will 285 Million Compromised Records Catch your Attention?

April 24th, 2009

Earlier this year the Verizon Business Risk team released a fascinating
report that summarizes their investigations into past data breaches. Verizon Data Breach Investigations ReportIn this
report, the Verizon team has catalogued 90 confirmed breaches from 2004 to 2008
that have resulted in 285 million compromised records. There were a few takeaways
that I’d like to outline in this post:

  • Attacks are continuing to become highly targeted and customized.
    Now, this is nothing new. We’ve seen data the last several years that points
    to this fact, but this report provides more conclusive data that suggests
    that hackers are trying to go after the crown jewels of an organization.
  • The value to stolen credit card data is decreasing. In
    2007, the value of a credit card record ranged from $10 – $16. Today, that
    rate has dropped to $0.50 per record. This has led to criminals overhauling
    their techniques to acquire more valuable information.
  • Large organizations are not the only target for data breaches.
    Of all of the breaches documented by Verizon, 26% occurred with
    organizations with 11 – 100 employees. This should be a warning to
    even small organizations that they must implement a data protection strategy.
  • Organizations are still not implementing PCI requirements.
    In the report, 75% of organizations suffering breaches were not compliant
    with Payment Card Industry Data Security Standard (PCIDSS) or had never been
    audited. Of particular note are what many organizations consider the most
    difficult requirements to implement: “Requirement 3: Protect stored data”
    and Requirement 6: Develop and maintain secure systems and applications.”
    One interesting aspect to note is that organizations must know where all
    sensitive data is and to ensure its protected. Oftentimes, organizations are
    not aware of the sensitive data stored on laptops and other mobile devices.

The data from this report is useful to organizations that not only want to
understand the risk, but also implement changes that can help protect sensitive
customer data. These changes will require technology, but also processes and
end-user education. As hackers continue to evolve their approach and techniques,
organizations must also evolve to stay a step ahead.

No comments »

Posted in Data Protection, Identity and Information loss

Tags: