Data breaches are daily news items. Reports of data breaches affecting governments, hospitals, universities, financial institutions, retailers, and recently an extra-marital affairs site, dominate the news with increasing frequency. This is merely the tip of the data breach iceberg, with the vast majority of incidents remaining unreported and undisclosed. To better understand data breaches, it is important to define the term. International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27040 defines a data breach [PDF] as:
“Compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise processed.”A wide range of sensitive data is compromised across all industries from businesses both big and small as well as individuals. These include PII; financial, health, education, and payment card data; login credentials; intellectual property, and others. In the news, data breaches are almost always attributed to hacking or malware attacks. While these play a big role in data breaches, they do not account for all incidents. Other breach methods frequently observed includes insider attacks, theft or loss, and unintended disclosures. Perpetrators who compromise sensitive data are a diverse group that includes insiders, individual criminals, as well as organized and state-sponsored groups. Stolen data is commonly used to commit crimes such as financial fraud, identity and intellectual property theft, espionage, revenge, blackmail, and extortion. Because data breaches have become an everyday affair, people may become desensitized to having their personal, financial, health, education, and other data compromised which then ends up for sale in criminal marketplaces. This desensitization could be the product of several factors, including:
- Daily data breach incident news overload
- Stolen sensitive data is not tangible like a stolen mobile phone
- No "instant" bad consequence of having sensitive data stolen
- Lack of understanding of the repercussions of sensitive data theft
- California leads other states with the most number of reported data breach incidents.
- Personally identifiable information (PII) is the most popular record type stolen.
- The healthcare sector is the most affected industry in terms of data breaches.
- Identity theft was most rampant crime that resulted from breaches in the healthcare industry.
- Payment card data breaches greatly increased starting 2010.