Organizations are collecting massive amounts of their customers’ personal data on a daily basis. A customer’s search and purchase history can be invaluable to ecommerce companies and ad networks trying to maximize the probability of a customer making a sale. Every site where a person has an account stores an email address, password, and possibly credit card information and other valuable information about their users.
As these troves of data grow, they become increasingly enticing and valuable to cybercriminals. The same data that a company needs to tailor a sale or an ad to a particular customer can be used to create a more realistic and targeted (and therefore likely more successful) spear phishing email. Credit card information also fetches a good price on the black market, since the growth of ecommerce means that cybercriminals can easily launder their stolen money or convert it into valuable goods.
As a result, it should come as no surprise that data breaches are even more common in 2019 than in 2018. As long as companies continue to collect and store valuable consumer data, cybercriminals will be happy to steal it.
Data Breaches in the Era of Privacy Regulations
In recent years, the data protection landscape has grown more complex very rapidly. This change was kicked off by the European Union’s (EU’s) passage of the General Data Protection Regulation and the beginning of its enforcement in May 2018. The goal of the GDPR was to dramatically expand the privacy protections given to EU citizens regarding their data that is collected by companies. Under the GDPR, consumers have additional rights, and the penalties for non-compliance and data breaches are much higher.
The GDPR also spurred the passage of a number of data protection regulations in various jurisdictions. Under the GDPR, a company could only handle the data of EU citizens if it operated in a country with laws equivalent to the GDPR or if it adopted these principles internally. As a result, many countries and states have adopted privacy regulations, such as the California Consumer Privacy Act (CCPA) in recent years.
As the regulatory landscape becomes more complex, achieving and maintaining compliance with these regulations becomes more complicated. The requirements for businesses under data protection regulations vary from law to law, creating a patchwork of rules to follow. As a result, organizations must devote much more time and resources to identifying the regulations that apply to them, learning their requirements, implementing appropriate security controls, and demonstrating compliance. In many cases, these efforts take away from the company’s ability to detect and defend against cyber threats in their networks.
At the same time, non-compliance and data breaches become more expensive for their victims. The average cost of a data breach reached $3.92 million in 2019 and exhibits consistent growth. At the same time, data breaches are becoming more common, meaning that the overall price of poor data protection is rising.
The 2019 Data Breach Landscape
Compared to 2018, 2019 had more breaches but a much lower number of breached records. The 1,473 breaches represented a 17% increase over 2018’s 1,257 breaches. However, the number of exposed records dropped from 471,225,862 to 164,683,455.
These numbers can be a bit misleading since the Marriott breach was discovered and reported in 2018. The Marriott breach included a leak of over 383 million records, more than twice the number exposed in 2019 or in all other breaches in 2018. Without this breach included in 2018’s numbers, the 2019 breaches exposed almost twice as many records as 2018 (164 million vs. 88 million).
The continued growth of the number and average record exposure of data breaches indicates that organizations are still struggling with properly protecting the data entrusted to their care. Customers’ personal data is extremely valuable to cybercriminals and can fetch a high price on the black market. As a result, plenty of motivation exists for these groups to continue honing their skills and working to break through organizations’ cyber defenses in search of sensitive data.
Companies’ failure to protect this sensitive data can cost them in a number of different ways. Regulations like the GDPR mean that a data breach can result in fines in the millions of dollars, like the $123 million file imposed on Marriott after their breach. Organizations also face costs due to lost productivity, customer notifications and settlements, lawsuits, and loss of company reputation and customers after a breach.
Protecting Sensitive Customer Data
The growth of the data breach demonstrates that cybercriminals are ahead of their targets when it comes to knowledge of data protection. For many organizations, the defenses that they put in place to protect their intellectual property or sensitive consumer data are obviously inadequate to secure it against a sufficiently determined threat.
As the price tag and potential repercussions of a data breach increase, organizations must put in place stronger defenses for their collections of sensitive data. A data security solution capable of identifying repositories of sensitive data within the enterprise network, evaluating them for vulnerabilities, and monitoring access attempts for any anomalies is the first step in accomplishing this. Once an organization can track the location and security of all of their data, regardless of its location in the network, they are in a position to build out additional defenses to address specific security threats and use cases.
