Data Breach “Sky Is Falling”

Posted by

Much like Chicken Little, data breach vendors and pundits continue to decry that the data breach sky is falling!  But is it?  A group of researchers set out to answer this very question.

“Neither size nor frequency of data breaches has increased over the past decade,” concludes a new statistical analysis by Benjamin Edwards, Steven Hofmeyr and Stephanie Forrest presented during the June 2015 Workshop on the Economics of Information Security in the Netherlands. Instead, the three argue, the increases that have attracted recent media attention can be explained by normal models. Their article, “Hype and Heavy Tails: A Closer Look at Data Breaches,” explains:

Some of our results seem counter-intuitive given the current level of concern about privacy and the damage that a data breach can cause. However, some simple anecdotal observations about our data lend credence to the results. The largest data breach in our data occurred back in 2009 when cyber-criminals stole 130 million credit card numbers from Heartland payment systems. Additionally, as of March 4, 2015 there had been no breaches of personal information in the past 15 days, less than might be expected given current headlines.

Even so, Edwards, Hofmeyr and Forrest caution that “data breaches are costly” and “project that in the next three years breaches could cost up to $55 billion.”  The three authors also make several projections regarding general areas and types of breaches for greatest concern moving forward, such as a 31% chance of breach of 10 million records or more in the next year.

A complete copy of the article can be found here.