Data Breaches Get Personal: Symantec Intelligence Report, 2012

Security breaches where user information becomes publically exposed or stolen – are a serious issue for an organisation. The exposure of customer data can lead to a loss of confidence in the organisation by its users. Even worse, the organisation could find themselves in violation of data privacy laws or on the receiving end of a lawsuit created by its users. According to Symantec’s 2012 Cost of a Data Breach Study conducted by Ponemon Institute, data breaches costs Indian organisations INR 2,105 on an average for each lost or stolen record, with the average total organisational cost of data breach being INR 53.4 million (5.34 crore).

At first glance, what may seem surprising is that a person’s real name is by far the most common item to be stolen in a data breach, where it is obtained 55 percent of the time. This surpasses even usernames and passwords, most commonly used for online identities, which appears within 40 percent of all data breaches. This, points to a trend where hackers are targeting locations people go to complete tasks, in contrast to years past where breaches may have occurred with more frequency through message boards or online games. These former hot-spots would have been less likely to include a user’s real name, often only requiring an alias for a user name.

In contrast, more than 80 percent of data breaches that are occurring this year are with organisations whose Internet presence is secondary to their main business, such as the healthcare and education sectors, where online access to services is often set up as a means of convenience instead of a business front. Viewing a website as an auxiliary service may mean laxer security, making them easier targets for data breaches.

What’s important to note is that this data does not account for actual cases of identity theft; the data has been stolen, but not necessarily used maliciously. Rather it opens the door for someone with malicious intention to use the information for illicit activities.

A hacker may use some of the information they’ve gathered in a breach to gather further information. For instance, this information could be used to “confirm” someone’s identity over the phone, thus gaining access to further data. In these cases, the hacker is able to work his or her way up the “data chain” in the hopes of obtaining more valuable information.

Most cases of pure monetary theft, where an identity is falsified to purchase goods or services, are done on a much more covert process than buying items with abandon. For example, a thief who has obtained a cache of sensitive data might take one credit card from a list that’s been stolen and then test to see if it usable by making a very small purchase—one that would draw little attention on a credit card statement. If the transaction was successful, he or she might sell the credit card details on to another party.

Finally, an attacker could use this information to create fake accounts in someone’s name. This could mean misrepresenting someone online, such as in social networking environments. In more extreme cases, the data could be used to blatantly impersonate the individual. While the latter is much rarer, there have been instances of people opening credit cards in other people’s names, or impersonating another individual to receive medical treatment.

Overall, it doesn’t appear that the rise in identities exposed through data breaches is going to be slowing down any time soon. Fortunately, while not always required by law, it appears to becoming standard practice for organisations that are breached to provide credit monitoring services. The best thing you can do as a consumer is to only provide personal details when absolutely necessary, and keep a close eye on your personal information as much as possible.

Additional Information from the Symantec Intelligence Report, November 2012:

• Spam – 68.8 percent (an increase of 4.0 percentage points since October)

• Phishing – One in 445.1 emails identified as phishing (a decrease of 0.124 percentage points since October)

• Malware – One in 255.8 emails contained malware (an decrease of 0.05 percentage points since October)

• Malicious websites – 1,847 websites blocked per day (an increase of 97.9 percent since October)