As of today’s date, breach compilations by both the Identity Theft Resource Center and Open Security Foundation indicate that there were fewer breach reports in 2009 relative to 2008. While some of the apparent decrease may be due to two sources used last year not being available online for the second half of this year, the entire decrease cannot be attributed to these two sources.
So why are breach reports down relative to last year? Are more entities now using encryption and safer methods of transporting data leading to a reduced number of breaches or reduced number of breaches that would trigger a breach disclosure? Has the arrest of a number of master cybercriminals put a significant dent in cybercrime? Either would be cause for some celebration. But there are other possible explanations for why breach reports might be down that would not be cause for celebration, such as:
- Entities deciding not to report or disclose breaches despite any mandatory disclosure laws because of the cost of notification during these rough economic times;
- Entities referring incidents to law enforcement in the partial hope that law enforcement will ask them not to disclose or reveal the breach so as not to interfere with any investigation;
- Breaches becoming more sophisticated and entities not even realizing that they have been breached;
- The media getting bored with breach reporting and not giving it as much coverage;
- 2008 may have represented an anomaly, as inspection of OSF’s nifty graphic at the top of their homepage suggests, with breach reports returning to pre-2008 levels in the spring, or;
- None of the above.
So… why do you think that breach reports declined in 2009?
It could be that the large organized breaches have been attributed to one breach each so that the number is lower. Maybe the ability to link these crimes has made the number lower. The other possibility is that the new business model for “some” companies is “don’t tell, no foul” and take the chance that the company can get under the wire, the cost of fines would be less than the cost of restoration, sending out letters, buying consumer products (not always needed) and reputation damage.
The drop in breaches matches the drop in fraud losses across the payment card industry earlier this year. Attackers have moved on to a greener pasture — online banking. Unfortunately, few statistics exist for online banking attacks. If one were to add the decreasing breaches / payment card fraud to the increasing attacks against online banking, one would see that the attacks have increased if anything. The bad guys have switched targets.
Good point. I just posted an article from USA Today on the problem, here.