Most data breaches are the result of weak and stolen credentials. Can we get rid of passwords now? Please?
2013 was a record year for data breaches: There were more breaches than in any single previous year; there were more compromised records than in any year, and the breaches cost businesses and consumers more than in any previous year. The crooks are making out pretty darn good.
But here's the good news: The U.S. government is getting "increasingly interested." Honest. Any year now Congress may actually pass legislation mandating disclosure of breaches affecting consumers. Not this year, but one of these years. (There are state breach-notification statutes in all but three or four states -- depending on who you believe -- but making sense of them all is a full-time job all by itself.)
Exhibit A: FTC just issued a report on mobile purchase apps. The nutshell version: "C'mon, guys. Try to be a little more transparent, woulda? Pretty please?"
Surprise! Mobile apps for making purchases don't disclose much about "liability limits for unauthorized, fraudulent, or erroneous transactions" before people download and install the programs. When the FTC studied these apps, they found it was difficult to distinguish the "pass-through" services from the "stored-value" services. Pass-through are tied to a credit or debit card and qualify for statutory protections that limit consumer liability for fraudulent or disputed charges. But stored-value apps transfer the consumer's funds from another account to one managed by the app itself. These accounts do not qualify for the same protections as pass-through services.
The FTC kindly requests that the app developers be more forthcoming about their terms before the apps are downloaded. The agency also suggests that the app providers disclose to their customers what data they are collecting, how they collect it, and who they're sharing it with. I suggest that the FTC not hold its breath. Likewise, the report recommends that mobile purchase services do more to ensure their customers' data is protected.
According to Jennifer Thompson and Tyler G. Newby of Fenwick & West LLP, the report indicates the FTC's "increasing interest in protecting consumers' privacy and information security." I imagine the app makers are thinking, "Why would I hurt my own profitability by not selling a valuable asset in my possession? And why would I spend money to prevent loss to someone else?"
Who pays the cost of data breaches?
Data breaches cost companies an average of $3.5 million apiece, according to the Ponemon Institute's 2014 Cost of Data Breach Study: Global Analysis (sponsored by IBM). That's a 15 percent increase from the previous year. The survey of "security executives" at "global companies" found that the organizations spend an average of $7 million a year on data security, but the executives would like to increase that spending to $14 million a year.
So a company's executives ask themselves: one breach costs an average of $3.5 million, and we spend $7 million each year to prevent a breaches. If we double our data-security budget, do we get a return on our extra $7 million investment?
There's a number missing from the equation: How much do data breaches cost consumers? Today Money's Herb Weisbaum reports on a 2013 survey by Javelin Strategy and Research on cyberthefts. Those involving the use of a Social Security number to take over an existing account or open a new account stole an average of $5,100, while the average theft from the breach of a credit card or debit card account was $1,600. Business recoup some or all of their losses by writing them off their taxes and passing them on to their customers.
In 2012, the South Carolina Department of Revenue lost 3.6 million Social Security numbers. Total loss from the breach is estimated at $5.2 billion. Consumer victims spent an average of $776 out of pocket and 20 hours to resolve problems associated with the theft.
Here are some more numbers from Naked Security: 2,164 data breaches in 2013 (more than 1,000 in the U.S.), according to Risk Based Security. Total records exposed: 822 million (66.5 percent in the U.S.). That's twice the number recorded in the previous highest year, 2011. More of the attacks were from "outside actors," according to the survey: 71.2 percent. That's also the highest percentage ever recorded.
The source of most data passwords: weak credentials, stolen passwords
Not done with the numbers yet: The primary cause of a data breach is a stolen password. According to the Verizon Risk Team's 2013 Data Breach Investigations Report (which the Dark Reading site summarized in May 2013), 76 percent of network intrusions involved weak credentials, and 48 percent used a stolen password.
Let's add 'em all up: more data breaches, each one costing businesses and consumers more money, and most of them caused by weak credentials and stolen passwords. How about an investment in a safer authentication method?
We don't have to trust the security of our sensitive information to passwords. Honest. It's just that passwords are so darn inexpensive! Even when they're stolen by the hundreds of millions. All but three states have security breach notification laws, according to the National Conference of State Legislatures. (In fact, other sources place the number of states without such a law at four, not three: Alabama, Kentucky, New Mexico, and South Dakota -- but who's counting?)
California was the first state to enact a statute mandating disclosure of data breaches to the consumers when at least 500 citizens of the state are affected by a single breach. A federal breach-notification law that would preempt state statutes has long been rumored, as reported on the Mondaq site last February. However, no such law is expected soon, according to Judy Greenwald on the Business Insurance site.
Who besides me is in favor of a law making reliance on passwords to safeguard our sensitive data a federal offense?