Data breaches cost global business close to USD 400 billion a year
Data can do magic—so we are told. When it goes to wrong hands, the black magic can have dangerous consequences. And it is happening.
“Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed,” - Lee Hsien Loong, the Prime Minister of Singapore
Whether it is health records of a prime minister of one of the most well-governed nations or highly confidential trade secrets of some of the iconic automotive brands, or the social conversations between users of the top social media platform, not to talk of the personal details of you and me, every piece of data suddenly seems highly vulnerable to exposure.
On 20 July, Singapore’s Health Services, SingHealth and Ministry of Communication and Information (MCI) jointly made public that about 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated, they said in a statement. Investigations by the Cyber Security Agency of Singapore (CSA) and Singapore’s Integrated Health Information System (IHiS) have confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs.
On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity, while putting in place additional cybersecurity precautions. On 10 July 2018, investigations confirmed that it was a cyberattack, and the Ministry of Health (MoH), SingHealth and CSA were informed. It was established that data was exfiltrated from 27 June 2018 to 4 July 2018.
The data accessed by the attackers included the health records of the Prime Minister Lee Hsien Loong, who sportingly said, "I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed."
But he has tougher task ahead than joking about his own health records. There are voices being heard that question the investment on Singapore’s Smart Nation program. In Singapore, such questioning is rare. But the access of their health records by cyber criminals seems to have shaken people.
Health records seem to be a particularly favourite target of the attackers. In Australia, online health services firm HealthEngine notified last month that a small group of users’ data may have been improperly accessed via HealthEngine’s Practice Recognition System on its website.
“Due to an error in the way the HealthEngine website operated, hidden patient feed back information within the code of the webpage was improperly accessed. This information is ordinarily not visible to users of the site,” the company said in a statement. More than 59,600 patient feedback entries may have been improperly accessed.
The per capita cost of data breach in healthcare is the highest among all industries, according to the recently released 2018 Data Breach report. At USD 408, it is almost double that of the Financial industry which has a per exposed record cost of USD 204, which is second in the list of industries in terms of per exposed record cost of a data breach.
But by no means is it the only industry targeted.
Even while Singapore was detecting the attack, sports goods company Adidas announced a significant data breach involving customer data of those US customers who purchased from its stores online. The compromised data include name, contact information, user name and encrypted password. Some millions of customers could have been exposed though it is not clear how many records were actually hacked.
Considering that it came right in the middle of FIFA World Cup ensured that even those who normally would not have noticed the news saw it.
Just a couple of days prior to Adidas announcement, another huge compromise was reported. The compromise at Exactis, a marketing firm involved a database that contained close to 340 million individual records on a publicly accessible server, unprotected by any firewall, according to a report by Wired. The company claims possessing data on 218 million individuals, including 110 million US households.
Unlike most such exposures which contain generic data like name, address, email ids, Exactis database contains “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.”
While not many in India—and even in the US—would have heard the name of Exactis, it works for major consumer companies and is primarily a data company.
"It seems like this is a database with pretty much every US citizen in it," Wired reported security researcher Vinny Troia as saying. Troia discovered the expose. At 340 million, it is bigger than last year’s Equifax breach which saw a compromise of 145 million records. Wired reported that while “the leak doesn't seem to contain credit card information or Social Security numbers, it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.”
Just like Exactis, survey firm Typeform has seen a breach that impacts consumer data of many of its clients such as Tasmanian Electoral Commission, British prestige brand Fortnum & Mason, digital bank Monzo, and food maker Birdseye. Some of them have issued alerts to their customers but they are just a fraction of the thousands of customers that Typeform has.
The third party specialized B2B providers seem to be the weak link.
Another such provider, 7.Ai, which is an offshore service provider with huge operations in Bangalore (earlier called 24/7 Customer), saw its tools being infected with malware, which could have impacted hundreds of thousands of shoppers of Delta Airlines, Sears, Kmart and Best buy. Other 7. Ai customers include American Express, AT&T, Citi, eBay, Farmers Insurance and Hilton. Amex and Farmers clarified that they weren't affected by the breach.
In UK, online ticket booking site Ticketmaster identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. The company, in a statement said, less than 5% of its global customer base has been affected by this incident.
Involvement of a third party in a data breach raises the cost of the breach. According to Ponemon Institute’s 2018 Data Breach report, the per exposed record cost of a data breach increased by USD 13 to USD 161, if a third party was involved.
There are reported cases where access of data by an unauthorized party may or may not have occurred, but the exposure of unprotected data means vulnerability of that data.
One such vulnerability was reported recently by The New York Times. It said a security researcher found ‘tens of thousands of sensitive corporate documents’ unprotected, accessible on Internet.’ Almost all major automakers such as Tesla, Toyota and Volkswagen were among the companies whose documents were found unprotected, said the report.
“Among the documents were detailed blueprints and factory schematics client materials, such as contracts, invoices and work plans; and even dozens of nondisclosure agreements describing the sensitivity of the exposed information,” it said.
A small Canadian company, Level One Robotics and Controls, was responsible for this exposure. It is still not known if the data has been accessed by any malicious parties. But it was exposed for long.
After a Wall Street Journal report, Facebook suspended a third-party company, Crimson Hexagon, while the investigation about whether it accessed any information illegally is on. This comes after a case involving an analytics firm, Cambridge Analytica, which was alleged to use Facebook data to help political parties (including in India), among other.
World Economic Forum’s Global Risk Report (GRR) 2018 identifies Cyberattacks and Data Theft as two of the top risk to the global economy.
But just how big is the cost to global business? Two reports give us some indication. One is, of course, Ponemon Institute’s Global Data Breach Report, referred above, which measures the cost of a data breach and the other is Gemalto’s latest Breach Level Index (2017) which measures the universe of breaches.
According to Gemalto report, more than 4.8 million records are compromised every day. In 2017 alone, 2.6 billion records were stolen, lost or exposed worldwide. This was an 88% jump over the previous year, 2016, even though the number of incidents declined marginally (by 11%).
According to Ponemon Institute’s report, average cost of a data breach in 2018 is USD 3.86 million, which is a 6.4% increase over the last year’s average cost. Average cost per lost or stolen record is USD 148, up from last year’s USD 141.
The average cost of data breach, of course, varies by the country. While it is highest in the US, it is lowest in Brazil. Healthcare leads all other industries by a huge margin when it comes to per capita cost of breach. Financial and Services follow at No 2 and No 3 respectively.
Organizations undergoing a major cloud migration at the time of the breach saw this increase to per capita cost by USD 12, with an adjusted average cost of USD 160 per record, as compared to a normal average of USD 148.
The report says that a mega breach of 1 million records yields an average total cost of USD 40 million while a breach involving 50 million records yields an average total cost of USD 350 million.
To calculate the cost—the only language that businesses understand—we have to use findings from both the reports—Gemalto’s and Ponemon Institute’s.
Taking the 2017 data from both the reports, the global cost to business from data breaches can be calculated to be USD 367 billion in 2017, which could easily go upwards of USD 400 billion.
Businesses, though sensitized about the danger, do not yet realize the full cost of a data breach, often attaching a cost to it only if there’s a financial fraud. That is a major barrier towards fighting breaches. Ponemon calculates the overall cost taking four components—detection and escalation cost, notification cost, post data breach response, and lost business cost.
Where does India Stand?
Somehow, in India, though, it is rarely that we see reports on major data breaches. Except for the Aadhaar breach, we hardly see media discussing major data breaches.
Is India bucking the trends?
Far from it. In India, breaches just do not get reported.
Recently, Indian media portal, thewire.in reported that the phone numbers, email IDs and addresses of hundreds of thousands of applicants who took the National Eligibility and Entrance Test (NEET) in 2018 were available online. Data was available for 2.5 lakh students out of 13 lakh who took the test.
The website reported that the data was being sold at INR 2.4 lakhs for 2 lakh records. Each record contained student name, his/her NEET score, ranking, complete address, date of birth, mobile number and email ID.
The portal actually verified the claim and found that the data was correct.
However, none of the top Indian newspapers has reported it.
According to the BLI Index by Gemalto, 3.24 million records were stolen, lost or exposed in India in 2017.
If that seems a much smaller number— it is less than 0.25% of global records—that is because the number of consumer records online is far less.
But India is catching up. While the global number for data records compromised saw a growth of 88%, in India, that growth was 783% between 2016 and 2017. There were as many as 29 data breaches in the entire 2017 and 58% of them were identity thefts.
According to Ponemon Institute’s report, the average size of data breach in terms of number of records compromised per breach is second highest in India, with more than 34,000 records per breach.
According to Gemalto data, of the 29 data breach incidents in India in 2017, identity theft represented the leading type of data breach, accounting for 58% of all data breaches, the trend being similar to global trends, where 69% of all breaches were identity thefts.
Without strong regulations, companies do not report the breaches and that is the reason behind lack of coverage and public sensitivity.
According the Gemalto report, the second largest global breach in 2017 occurred in India.
This involved compromise of 200 million records at the Motor Vehicle Department of Kerala. This could have been a political hot potato. But with little sensitivity about privacy, Indian political parties lack the will and understanding to highlight this.
At a BLI score of 9.9 (only marginally less than the globally infamous Equifax breach which was assigned a score of 10), this was in the same league. Yet, few, even in the security community know about it.
India is working out a strong data protection legislation. A committee appointed for the purpose, is reportedly giving final touches to the draft bill. The bill is based on the feedback that it received after floating a white paper earlier. If that is anything to go by, Indian bill will also be modelled on the lines of Europe’s GDPR and UK’s Data Protection regulation.
India is known for producing some of the best pieces of legislation but has a poor track record of enforcement.
With little awareness among people, little care by citizens for privacy and little sensitivity by media, the challenge is huge.