Around 60% of corporate data is stored in the cloud. As the reliance on
online databases to store confidential information grows, data breaches
have become more frequent and have gotten more media attention. Data
breaches are defined as “the unauthorized acquisition of computerized
data that compromises the security, confidentiality, or integrity of
personal information.”
Data breaches can be targeted towards
companies, healthcare facilities, governments and individuals on any
scale. Data breaches of financial institutions and healthcare services
are worrisome because consumer’s financial information and personal
health information can be exposed.
Two recent examples show the effects of data breaches:
Consumer: MOVEit
In
May 2023, the file transfer app MOVEit fell victim to a cyberattack
that compromised the data of more than 300 organizations and 18.6
million individuals. The Russia-linked cybercrime group known for
operating the “Cl0p” ransomware has taken responsibility for the hack.
The group exploited a “zero-day” flaw in MOVEit’s file-transfer software
in order to access sensitive data transferred through the app. MOVEit
is an approved and accredited file-transfer service that meets
regulatory compliance requirements for multiple government agencies and
highly regulated industries. These strict accreditation standards made
it a widely used service for organizations with sensitive data. As such,
some of the world’s largest financial institutions, law firms,
insurance providers, healthcare firms, education service providers, and
government agencies have been involved in this breach. Two Department of
Energy entities were among the “small number” of federal agencies that
were impacted. Hackers accessed data including social security numbers,
customers’ addresses, online banking usernames and other financial
account information. The full extent of the breach hasn’t yet been
realized as the number of organizations impacted by ongoing hacks of the
MOVEit software continues to grow.
Medical: Healthcare
In
2022, more than 52 million people had their private health information
exposed in more than 700 breaches. Protected health information (“PHI”),
which includes sensitive information like Social Security numbers,
medical record data, and date of birth, are highly valued on the black
market. The average cost per lost or stolen record is $164, a number
that skyrockets to $429 on average for healthcare organizations.
In
2015, Anthem Inc. suffered a data breach that exposed approximately 37
million records, affecting around 78.8 million people. Anthem’s cyber
insurance policy, led by the American International Group, covers losses
up to $100 million. However, given the scale of the breach, costs could
have climbed above $100 million. A class action suit was filed and was
scheduled to go to trial in July of 2016. As of June 2017, Anthem agreed
to settle the litigation for $115 million, the largest settlement for a
data breach in history.
Insider threats are reportedly the
primary cause for 60% of data breaches. A recent study showed that the
number of insider security incidents has risen by 47% since 2018.
Insiders are typically defined as an individual with legitimate access
to company assets who causes harm to the business either intentionally
or unintentionally. Furthermore, about 91.5% of cyber-attacks involve
some element of human error. These statistics demonstrate the critical
need for employees to be well-educated regarding proper security
procedures. Additionally, many jurisdictions have passed data breach
notification laws that require companies that have been subject to a
data breach to inform their customers and take steps to remediate
possible injuries.