Data theft is becoming big business if the estimated damages of recent breaches are any indication. Can you imagine being insured for US $100 million against such events, yet having to bear costs that exceeded even that figure? The recent attack against Anthem, the second largest health insurer in America, involved as many as 80 million records being stolen. The associated expenses have been estimated at more than the $100 million policy taken out by the enterprise. Elsewhere, supermarket chain Target (also in the US) estimated costs of over US $148 million after 100 million customer records were compromised at the end of 2013. But the attack similarities don’t end there – and could apply to any company.
A prominent feature in both attacks was that they started a considerable time before they were discovered. For Target, it was about a month before. For Anthem, the breach may have started as much as nine months before. The time gap between attacks starting and then being discovered is also widening in general. That is the conclusion stated by Verizon, the US communications provider, in its 2014 Data Breach Investigations Report. In other words, you may not have noticed any problems up to and including today; however, your systems may already be compromised.
In the Anthem attack data stolen included client names, birth dates, addresses, and social security numbers. Why would such data interest thieves? One possibility is to leverage the information to make false tax refund claims and then direct payments to accounts controlled by the criminals. To put this differently, you may think your data are only valuable to you and not worth high levels of security. However, cyber-thieves may be interested for very different reasons. Furthermore, as easily available hacking tools proliferate on the web, data theft attempts against smaller organisations are likely to multiply too, as well as against bigger ones.