Media release - 13 December 2012
Millions of individuals are being robbed of personal information around the world as the hacking of company data has rocketed since 2010 according to a new report by KPMG.
KPMG’s Data Loss Barometer, which tracks global trends for lost and stolen information, has found that external data leaks have affected more than 160 million people in 2012 through 835 separate incidences. This was a jump of more than 40% on the year before. And hacking accounted for 67% of the data loss by number of incidents.
But while in previous years hackers were just as likely to focus on stealing medical records or government information, the hacking of information held by businesses has jumped globally from only 8% of total incidents in 2010 to a shocking 52% in 2012.
Philip Whitmore, KPMG New Zealand’s Director in charge of Security Advisory Services, said: “What we are witnessing is a shift from the accidental loss of data to deliberate theft – either to steal or re-sell the data, or sometimes simply for fun or to make a great headline.
“Several of the world’s largest companies have been targeted over recent months by hackers who have grown in sophistication. It is now not just a lone hacker sitting in their bedroom but, in many cases, serious organisations backed by nation states who are leading this new phenomenon.”
Indeed, media companies out of all sectors both private and public, witnessed the highest incidence of hacking, with 98% of all data loss in 2012 accounted for in this way. The category of “organisations” referring to bodies such as clubs and not-for-profit organisations were not far behind at 94%, while retail was the third highest identified sector with 76%.
The severity of the issue was highlighted by the research in that “personally identifiable information” such as names and credit card information which can be used to identify a single person, remains by far the biggest reason for breaches of security at 46% in 2012. This compares with the next largest identified sector of password information that accounted for only 16% of incidents, although this had increased from just 5% in 2011.
Whitmore points out that New Zealand is not isolated from these incidents. “In New Zealand we shouldn’t be complacent. Increasingly we are seeing headlines in the media surrounding data loss, with the Privacy Commissioner describing 2012 as the Year of the Data Breach. What we see in the media however, typically only includes incidents where the breach has entered the public domain. Incidents which involve the loss or theft of commercial data go largely unreported.”
While companies have borne the brunt of interest from hackers, the public sector including Governments and education facilities around the world are still struggling with their own security breaches – both internal and external – recording 16% of the total number of incidents respectively.
But interestingly, the healthcare sector, which has previously struggled with data security, noted a sharp drop in the number of breaches from a high of 25% of all incidents in 2010, to just 8% in 2012.
More positive news was also seen from within both companies and public sector organisations whose efforts to tackle security from the inside looks to be bearing fruit as internal security breaches more than halved from 435 in 2011 to 198 in 2012. However the cost of human carelessness and systems errors still accounted for 4% of data loss and physical theft of PCs, hardware and mobile devices accounted for 11% of all data loss this year.
Some ways that organisations can reduce the amount of data loss
- Aligning privacy practices within an organisation with its security practices.
- Treating security as a business issue rather than as an IT issue, and ensuring robust security governance and risk management processes are in place.
- Ensuring Internet-facing systems are kept fully patched and updated.
- Educating everyone within the organisation about the value and sensitivity of the information they possess and how they can protect it physically and online.
- Backing up employee training with procedures and a corporate culture that takes security of information seriously.