Thu, Oct 15, 2015

Cutting Your Data Breach Down to Size: Part 1

Is size the most important factor in a data breach?

We’ve seen a number of “worst-case-scenario” large data breaches in the past three years, and while these are the breaches that make headlines, are they all so-called “mega” breaches? It’s true that breaches have gotten much, much bigger in just the past few years seeing headlines for breaches reaching upwards of 100 million affected are not uncommon these days.

But notoriety isn’t limited merely to the size of the breach there are other important factors that companies should be considering. While each breach requires certain nuances to the Overlooking Risks Data Breach Response, there are four identifiable overarching “factors” that fundamentally influence the risk level of the breach:

  • size
  • type of PII/PHI exposed
  • the circumstances of the breach
  • the demographics of the affected

Before you start worrying about scaling up for a large data breach (which we will address in Part 2), keep in mind the other factors that are frequently perceived as extremely risky and can cause significant damage to your company and constituents. Here are four examples that illustrate the pitfalls for each of the factors:

The size of the breach: Target
It is worthy of note that Target is not the largest breach on record. However, unfortunately for Target, when the story broke it had all the elements and timing necessary to capture public attention based on sheer size. While the timing was tough the breach affected consumers during the busiest shopping season it was the fact that 40 million customers had been impacted that generated the most headlines.

The type of information lost: OPM
The Office of Personnel Management breach instantly gained notoriety for a number of reasons, but perhaps the most shocking aspect was the depth of personal information that was included in the hacked data – individuals who had detailed government background checks performed had extremely sensitive data exposed, including information on family members and neighbors, complete residence histories, and health and criminal records. It was a treasure trove of data related to individuals serving in a myriad of sensitive government roles.

The population: Ashley Madison
The Ashley Madison breach illustrates just how important population is to evaluating the risk level of a breach. In this case, it was not just the type of data that worried consumers, but rather the exposure of their association with a notorious breached entity. Similarly, breach events affecting sensitive healthcare populations may have impact unrelated to that of identity theft, where individuals are adversely affected or stigmatized by the type of diagnosis or medical history information that has been leaked.

The type of breach: IRS
Otherwise known as the “Get Transcript” breach, it is worth noting because it wasn’t an ordinary breach. What made this incident particularly unique was the fact that the hackers manipulated the multifactor authentication system to gain access to taxpayer records. What’s more, the data used to access information had apparently come from other sources, most likely other breaches. It was a perfect example of the inventive, complex ways hackers can breach sensitive personal data.

By Kroll Editorial Team

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Identity Theft and Breach Notification

Services include drafting communications, full-service mailing, alternate notifications.