Massive data breaches are degrading the personal privacy of people, say researchers from the Central European University, in Budapest. The study was released by the Center for Media, Data and Society directed by Phil Howard, CEU Professor of Global Media and Communication. The researchers described data security and privacy policy are ongoing concerns. But it can be difficult to assess privacy breaches in Europe in particular, since many of the biggest incidents of compromised personal records involve people and organisations from around the world. A working paper offers early descriptive statistics and analysis of the first cross-national, systematized event log of data breaches in Europe.
The data is available for download at http://cmds.ceu.hu/.
Some 229 data breach incidents involved the personal records of people in Europe. Globally, all these incidents resulted in the loss of some 645 million records, though not all of these breaches exclusively involved people in Europe. Within Europe, the researchers confirmed 200 cases involving people in Europe, and 227 million records lost in Europe-specific breaches.
Fully half, 51 percent of all the breaches involved corporations and 89 percent of all the breached records were from compromised corporations. Among all the kinds of organizations from which personal records have been compromised, 41 percent of the incidents involved clear acts of theft by hackers, but 57 percent of the incidents involved organizational errors, insider abuse, or other internal mismanagement (2 percent unspecified).
Comment
Craig Carpenter, CMO at computer forensics and incident response vendor, AccessData (www.accessdata), commented: “While the Central European University report draws attention back to the insider risk, we cannot forget the damage that can be wrought by state-sponsored attacks and highly organised cyber criminals. The breaches at JPMorgan Chase, The Home Depot, Jimmy Johns and Target have demonstrated the scale of the risk posed by external attackers. This report simply confirms that IT teams are fighting a battle on both fronts. What is required is better integration of point solutions, to provide IT teams with overall visibility, enabling them to detect and correlate information so that they can immediately respond to indicators of compromise, whether they are triggered by an external attacker, an employee clicking on a link in a phishing email, or a misconfigured system.”
“While the Central European University report draws attention back to the insider and organisational risk, we cannot forget the damage that can be wrought by state-sponsored attacks and highly organised cyber criminals. The breaches at JPMorgan Chase, The Home Depot, Jimmy Johns and Target have demonstrated the scale of the risk posed by external attackers. For example, The JPMorgan hack is being linked to state-sponsored hacking activity, which requires a very different approach to defending against insider risk, common viruses and mass malware. Organisations need to fundamentally change the way that they address cyber security and incident response through intelligence sharing, integration and automation. Recently, three major initiatives have been announced by UK banking and law enforcement, aimed at combatting cyber attacks and online fraud through intelligence sharing to improve proactive defence against cyber criminals.”
