How effective are data breach penalties? Are ever-bigger fines enough?

Data breaches are hitting the news headlines everyday, across the Globe! Will imposing penalties alone would control or something more like user education & awareness, better IT Governance practices, change in management perspective of IT etc required to effectively control the incidents?

Click to visit the original post

  • Click to visit the original post
  • Click to visit the original post
  • Click to visit the original post
  • Click to visit the original post
For the past couple of years, data security company ViaSat UK has spiced up the Infosecurity Europe conference by filing an FoI (freedom of information) request for data breach statistics.
In previous years, things have ended up with ViaSat in a spot of biffo with the UK Information Commissioner’s Office (ICO).
In 2011, ViaSat noted that “monetary penalties have been enforced in less than one per cent of the data losses has dealt with.” …  Read more… 614 more words

Schunuck reveals more information on card data breach

Schnuck Markets Inc., has been under fire since late last month when reports of unauthorized card use started emerging, with customers seeing charges ranging from a couple of dollars to thousands. These breaches can costs companies millions in investigative and legal bills, lost business and fines.

Sunday’s statement from the company is the first to reveal the extent of the breach. As many as 2.4 million credit and debit cards used at 79 Schnuck stores may have been compromised over a three-month period, leading to widespread fraudulent charges at locations around the globe, the company said Sunday.

“On behalf of myself, the Schnuck family and all of our 15,000 teammates, I apologize to everyone affected by this incident,” said Scott Schnuck, in a written statement. “Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures.”

Payment card companies impose “stringent rules” and insist that  any merchant that accepts credit cards is required to adhere to industry standards for data security, including annual audits.  Schnuck says it underwent such an audit in November last year and passed.

However, it is debatable how “stringent” are the rules imposed by PCI and whether they are sufficient enough to foil the increasingly sophisticated hacker attacks targeted at stealing data. Experts said the problem is so great that the data security industry is scrambling to get ahead of hackers — and, in many cases, the hackers are winning.

Unfortunately, smaller businesses and  local retail stores chains are, increasingly, becoming targets for hackers because they’re perceived as having weaker security systems. An Arizona-based grocery chain, similar in size to Schnuck, was hacked in February.

In 2012, average time from breach to detection is 210 days!

During 2012, nearly every industry, country and type of data was involved in a breach of some kind, reports Trustwave, data security & PCI compliance firm, in its recently released Global security report 2013.

The findings are interesting, though not unexpected. Some of the key findings are below:

Web applications have now emerged as the most popular attack vector. As organizations embrace mobility, mobile malware continues to be a problem for Android, with the number of samples in Trustwave’s collection growing 400% in 2012.

Businesses are embracing an outsourced IT operations model. In 63% of incident response investigations, a major component of IT support was outsourced to a third party. Outsourcing can help businesses gain effective, cost-friendly IT services; however, businesses need to understand the risk their vendors may introduce and proactively work to decrease that risk.

Businesses are slow to “self-detect” breach activity. The average time from initial breach to detection was 210 days, more than 35 days longer than in 2011. Most victim organizations (64%) took over 90 days to detect the intrusion, while 5% took three or more years to identify the criminal activity.

Spam volume declines, but impact on the business doesn’t. Spam volume shrank in 2012 to a level lower than it was in 2007 but spam still represents 75.2% of a typical organization’s inbound email. Most importantly, new malware research conducted by Trustwave found nearly 10% of spam messages to be malicious.

And finally, as expected, basic security measures are still not in place.  “Password1” is still the most common password used by global businesses. Of three million user passwords analyzed, 50% of users are using the bare minimum.

Trustwave recommends six security pursuits to address the issues. (Picture) Cyber criminals will never stop trying to compromise systems to obtain data. Organizations need to be aware of  where they may be open to attacks, how attackers can enter their environment and what to do if (and when) an attack occurs.