International data breach report flags alarming trends

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

A report by Verizon highlights some extremely troubling trends about the types of data breaches occurring around the globe and also how organizations of all sizes are failing to adequately respond to new threats.

Verizon studied 855 breaches in 2011 involving organizations in 36 countries and compromising over 174 million records. Those figures are alarming in themselves.  But just as concerning are some of the statistics drawn from an analysis of these incidents.  Consider:

  • 98 percent of breaches examined in the report stemmed from external agents, notably organized criminals, but also an increasing number of activist groups.  Meanwhile, only 4 percent of breaches involved internal employees.
  • Hacking was linked to the vast majority of incidents – 81 percent.  As well, increasingly invasive malware was used in 69 percent of the breaches.
  • Most breaches were avoidable, with Verizon’s experts concluding that 96 percent of the attacks were not highly sophisticated.
  • Almost all of the firms involved – 96 percent – were non-compliant with the Payment Card Industry Data Security Standard.
  • Organizations also seemingly had trouble detecting breaches – 92 percent of incidents were discovered by a third party; and typically only weeks or months after the breach occurred.

The report is eminently readable and even occasionally funny (who knew there was a “Sesame Street” method of detecting data breaches).

It also includes a point-of-sale security tip sheet that anyone can cut out and distribute to the stores, restaurants and other businesses they frequent. There are more detailed mitigation strategies at the end of the report.

The report raises some fundamental questions about whether organizations – despite all the warnings and growing evidence of the risks – are taking data protection responsibilities and security standards seriously.

Date modified: