Digital Transactions Authoritative, insightful and timely information for payments professionals
A new report about data breaches from a law firm that analyzed compromises affecting more than 300 of its clients in 2015 has some unique perspectives that supplement findings from data-security technology firms such as Mandiant and Trustwave or telecommunications giant Verizon, all of which have produced widely read summaries of breach activity.
One of the purely legal-related findings from Cleveland-based Baker & Hostetler LLP’s survey says that 146 clients sent notices to customers or posted notices on their Web sites about a breach. But only nine incidents resulted in lawsuits. That finding seems counterintuitive given the public’s impression of the U.S. as a litigious society, and the publicity around some lawsuits after prominent breaches such as Target Corp.’s.
Craig A. Hoffman, a partner in BakerHostetler’s Cincinnati office who works in the firm’s privacy and data-protection practice, tells Digital Transactions News that the low lawsuit rate is the result of “companies who handle the incident the right way, and the challenges plaintiffs have in filing these lawsuits. A lot of these lawsuits get dismissed.” In addition, consumers whose credit cards are compromised in a breach generally know they have no liability for any resulting fraud, he says.
BakerHostetler provides a number of services to clients that sustain a data breach, including helping to find a forensic investigator, handling the legal and regulatory fallout, and communications.
Hoffman did not have figures for the number of payment cards compromised at the breached clients, but he says cards figured prominently in breaches at retailers, representing 12% of the affected clients, and restaurants and hospitality firms, 9%. The single biggest affected industry was health care, accounting for 23% of breached clients, followed by financial-services firms, 18%, and education, 16%. Some 25% of the clients had annual revenues of less than $50 million while 8% had revenues of more than $5 billion.
While restaurants and hospitality merchants ranked fifth among the industries by share of breaches, the average restaurant/hospitality breach affected 2.2 million individuals, more than twice as many as the next-highest industry ranked by people affected, insurance companies, with an average of 1.1 million customers impacted per breach. The typical retailer breach affected 33,000 individuals.
The leading cause of breaches was phishing, hacking, and malware, which BakerHostetler lumped together and accounted for 31% of the compromises. Phishing was a particular problem in 2015, according to Hoffman.
“We’re seeing a continued increase in the number of incidents that start from a phishing email,” says Hoffman. “It’s across the board … [phishing] is a lot easier than trying to find vulnerable applications.”
Besides exposing a company’s computer system to malware when a fraudulent email is opened, phishing schemes frequently involve fraudsters attempting to persuade unsuspecting employees to transfer money electronically to them, often outside the U.S. The FBI issued a report this week saying that since January 2015 there has been a 270% increase in identified victims and “exposed loss” from what the bureau calls “business email compromise schemes.”
Many companies have started anti-phishing training programs, according to Hoffman. He considers programs that can reduce the open rate on a fraudster’s email from 50% to 5% to 10% as “really good.” But reducing the open rate to zero may be unrealistic, especially if the fraudster sends a flawless, authentic-looking email, for example, a message purportedly from the CEO to someone in human resources, seeking financial or personal employee information.
“Employees are human, even if you do a really good job of training,” Hoffman says. “It’s just a really difficult job.”
The other breach causes were employee actions or mistakes, 24%; external data thefts, 17%; vendor actions, 14%; internal thefts, 8%, and lost or improper data disposal, 6%.
Some 52% of the affected companies discovered their breaches by themselves, while 48% were notified by a third party. On average, it took 69 days for a breach to be discovered after its occurrence, and seven days from discovery to containment. A forensic investigation typically took 43 days from engagement of the investigative firm until its probe was completed.
