A leading data breach response insurer says its breach response unit handled 60 percent more data breaches in 2015 than in 2014 in the U.S., with a concentration of incidents in the healthcare, financial services and higher education sectors.
Breaches caused by either hacking or malware nearly doubled in relative frequency over the past year. In 2015, 32 percent of all incidents were caused by hacking or malware vs. 18 percent in 2014.
Twenty-four percent of all breaches in 2015 were due to unintended disclosure of records such as a misdirected email, which was down from 32 percent in 2014., according the report by specialty insurer Beazley. The loss of non-electronic physical records accounted for 16 percent of all breaches in 2015, which is unchanged from 2014.
“We saw a significant rise in incidents caused by hacking or malware in the past year,” said Katherine Keefe, global head of Beazley’s Breach Response (BBR) services unit. “This was especially noticeable in healthcare where the percentage of data breaches caused by hacking or malware more than doubled.”
Beazley said its findings are based on its response to more than 2,000 breaches in the past two years: 777 incidents in 2014 and 1,249 in 2015.
The proportion of breaches involving third party vendors more than tripled in the past year, rising from 6 percent of breaches in 2014 to 18 percent of breaches in 2015.
Ransomware in Healthcare
Hackers are increasingly employing ransomware to lock up an organization’s data, holding it until a ransom is paid in nearly untraceable Bitcoin. Hollywood Presbyterian Hospital in Los Angeles reported suffering a ransomware attack in February 2016 and ultimately paid the hackers $17,000 in Bitcoin. The FBI has warned that healthcare systems are more vulnerable to attacks than those of other sectors.
Beazley said this trend is borne out by its data, which show breaches involving ransomware among Beazley clients more than doubled to 43 in 2015. The trend appears to be accelerating in 2016. Based on figures for the first two months of the year, ransomware attacks are projected to increase by 250 percent in 2016.
“Clearly, new malware programs, including ransomware, are having a big impact,” said Paul Nikhinson, privacy breach response services manager for BBR Services. He said hacking or malware was the leading cause of data breaches in the healthcare industry in 2015, representing 27 percent of all breaches, more than physical loss at 20 percent.
“Healthcare is a big target for hackers because of the richness of medical records for identity theft and other crimes. In fact, a medical record is worth over 16 times more than a credit card record,” he said.
Higher education also experienced an increase in breaches due to hacking or malware with these accounting for 35 percent of incidents in 2015, up from 26 percent in 2015, in Beazley’s account data.
Colleges and universities are reporting increased “spear phishing” incidents in which hackers send personalized, legitimate-looking emails with harmful links or attachments. The relatively open nature of campus IT systems, widespread use of social media by students and a lack of the restrictive controls common in many corporate settings make higher education institutions particularly vulnerable to data breaches, according to the Beazley specialists.
In the financial services sector, hacking or malware accounted for 27 percent of industry data breaches in 2015 versus 23 percent in 2014. Trojan programs continued to be a popular hacking device, according to Beazley’s data.
Attacks often succeed by exploiting misconfigured systems or human error, such as luring employees to respond to phishing e-mails. Beazley offered five steps organizations can take to help protect their data:
- Train employees to be aware of the information they need to protect — personally identifiable information (PII) and protected health information (PHI) — and to avoid falling for phishing attacks and other forms of social engineering.
- Develop a robust incident response plan. Data breaches cannot be well handled on the fly. Advance planning can help avert serious reputational or financial harm. A well thought out and practiced incident response plan should guide management through the life cycle of a breach – from the initial suspicion that something is amiss to full-blown forensic analysis, legal advice, customer communications and PR assistance.
- Categorize potential data risks by threat level. Over-reacting to a breach can be as damaging as under-reacting.
- Review supplier contracts carefully to ensure that your customers’ data is well protected when it is in the hands of suppliers or vendors.
- Encrypt data, particularly mobile devices, laptops, and thumb drives, which are most likely to be lost.
Source: Beazley Breach Response (BBR)