Some data breaches can't be prevented. But too many occur when data-storage companies fail to make use of "aggravatingly simple protections," a new Javelin Strategy & Research report says.
Ultimately, such failures can lead to a single massive data breach that can result in billions of dollars in consumer fraud losses, according to Javelin's 2013 Data Breach Fraud Impact Report.
In addition to conducting surveys of data breach victims and utilizing Federal Trade Commission methods for categorizing fraud, Javelin based its report on analysis of four major data breaches the South Carolina Department of Revenue, Northwest Florida State College, processor Global Payments, and the Utah Department of Health.
Javelin estimates the Global Payments breach that started in 2011 will result in $708 million in losses from 428 fraud cases, averaging $1,654 each. Global Payments had originally stated that data from only 1.5 million cards was exposed, but MasterCard and Visa declared the number to be closer to 10 million payment cards, the report states. Global Payments has explained the difference by saying it reported a larger number of card accounts than was exposed to "cast a wide net" for fraud prevention.
In 2012, up to 134 data breaches occurred in an average month, or 1,611 for the year, the report says.
In stressing the danger for consumers of having personal or payment data compromised, the report indicates that more than half of consumers who became identity fraud victims also were victims of a data breach.
"In doing this research, you understand that criminals start with the low-hanging fruit," says report author Al Pascual, a fraud senior analyst for Javelin.
"They pay attention to the folks with the weakest controls, and they can end up walking away with millions of credentials," Pascual adds.
In most cases, the fraudster's initial intrusion can be rated as "low difficulty," the report states.
If a company uses strong passwords for system access and conducts regular checks of administrative settings, it "would shut the door" on many crimes of opportunity, Pascual says.
A significant problem unfolds when companies leave sensitive data unencrypted, Pascual says.
"The only way fraud is going to occur is for the criminal to use the full [payment] card number from unencrypted data," Pascual says. "Encrypting data is relatively simple and data-storage companies should be doing this anyway."
Intrusions in all of the cases studied went undiscovered until the data had already been stolen, signifying that proper detection mechanisms were not in place, the report says.
Companies also need to be forthcoming with information after a breach. Businesses and institutions that refuse to release details "are doing a general disservice" to consumers, government and other businesses by not allowing them to put their own fraud-prevention tools into action, the report says.
Security in layers is a time-tested strategy proven to work the best, Pascual says. But each layer has to be proven to be strong, he adds.
"Good defenses can be in place, but maybe not followed by company employees," Pascual says. "Human error and human complacency comes into play."
Javelin recommends that companies conduct regular security audits to review all security configurations, confirm access rights are appropriate and pay special attention to recently dismissed employees.
In addition, companies should purge sensitive data that is not necessary to meet compliance or business needs, while making sure to encrypt all sensitive data with advanced encryption standards.
Improving authentication and not relying on simple passwords provides extra security, the report states. In addition, companies need to react quickly when discovering malware.
"Simple mistakes [seem] to be the consistent element in this research," Pascual says.