According to the Data Breach QuickView Report – published in January 2017 – the total number of breaches reported during 2016 was a whopping 4,149! However, for all we know, this may just be the tip of the iceberg.
In October, 2016, Uber experienced a pretty serious data breach in the US. Not only did Uber know about it, they actually paid $100,000 to the culprits to delete the data and keep shush about the attack – a criminal offense under California state law. Personal information from 57 million customers and drivers was stolen, which included names, email addresses, phone numbers, and license plate numbers. Using login credentials that were flaunted by Uber engineers on Github – a popular code repository – the hackers were able to download the data from Uber’s Amazon Web Services account. And yes, believe it or not, the data was unencrypted!
Uber are not alone when it comes to failing to report such incidents. According to a report by The Institute of Directors (IoD), as little as 28% of cyber-attacks are being reported to the authorities. According to The Crown Records Management Survey, a quarter of IT workers in the pharmaceutical industry are keeping data breaches quiet. Sports Direct came under fire at the beginning of the year for failing to disclose information about a data breach in September, 2016, which affected 30,000 employees. Additionally, Equifax, and the Securities and Exchange Commission (SEC), were both heavily criticised for their long delay in reporting a serious security incident.
Why are companies failing to report their breaches?
The first, and most obvious reason why companies are not overly-keen to shout about how they’ve been fleeced by cyber-cooks, is down to the damage a data breach can do to the reputation of their organisation, not to mention the executives. Of course, the consequences of failing to report a breach could be much worse. Another factor might be that companies don’t actually know what their obligations are, or even how to report a breach when one occurs. For example, according to the IoD report, 68% of respondents – based in the UK – were not even aware of ActionFraud – the UK’s National Fraud & Cyber Crime Reporting Centre. Additionally, while 90% of executives agree about the importance of cybersecurity, only around 50% had a formal security strategy in place, and only 20% had any kind of cyber-insurance policy.
What can be done to rectify this situation?
As you may already know, the General Data Protection Regulation (GDPR) will soon come into effect. Under the GDPR, organisations are required to notify the relevant supervisory authority within 72 hours of a serious breach being detected. Failure to notify the relevant authority may result in a fine of €10 million, or 2 per cent of global turnover. So, will these fines encourage organisations to disclose their data breaches? They should do, although it also depends on the supervisory authority’s ability and/or willingness to enforce the rules.
Lepide is a leading provider of real-time event detection and reporting software, which enables organisations to detect insider threats, prevent the spread of ransomware and meet compliance challenges.