2016 was a very good year for thieves, hackers, spies and assorted miscreants. That's according to the Identity Theft Resource Center (ITRC), which reported a 40% increase in data breaches in 2016 compared to 2015.
In the report, the ITRC Data Breach Report 2016, the ITRC says that there were 1,093 reported data breaches in the US in 2016, compared to 780 reported breaches in 2015. One major question about the data, generated through a project sponsored by CyberScout, is whether the rising numbers were due to more breaches, better reporting, or some combination of the two. In a written statement, Eva Velasquez, president and CEO of ITRC, said, "For the past 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available. This year we have seen a number of states take this step by making data breach notifications public on their websites."
The ITRC isn't the only organization to make note of the rise in reported data breaches. On its website, the Privacy Rights Clearinghouse shows 526 total data breaches in 2016 as compared to 266 in 2015. The difference in the numbers illustrates just one of the difficulties in putting an accurate number to the issue: Almost all reports rely on a combination of government notification websites and voluntary notifications from companies that have been hit.
Regardless of the source, there's no doubt that the number of records involved in data breaches in 2016 was huge. A quick scan through the list of breaches made public in 2016 (though the list includes some breaches that actually occurred in previous years) show more than 2.3 billion records revealed to unauthorized individuals. And those compromised records carry a steep cost. According to the 2016 Cost of Data Breach Study: Global Analysis conducted by the Ponemon Institute, the average cost per lost record is $158, with an average cost per breach of $4 million.
According to the Ponemon report, the most significant portion of a data breach's cost didn't come from regulatory compliance or breach remediation, but from lost business -- the damage to a company's reputation and "churn" from customers who leave following a breach have a significant impact on an organization's bottom line.
Verizon's 2016 Data Breach Investigations Report echoed Ponemon's conclusion about the cost of a damaged reputation and asked whether there's anything to be done in defense of a company's data. The answers were straightforward and not surprising: patch your software, don't rely on passwords, teach your users about the dangers of phishing, and for heaven's sake monitor the activity inside your network. The worst damage happens when an outsider crashes your party and sets up camp, casually roaming laterally through your networks and assets for weeks or months at a time before anyone notices that the data cupboards have been plucked bare.
— Curtis Franklin, Security Editor, Light Reading