back to article More data lost or stolen in first half of 2017 than the whole of last year

More data records were leaked or stolen by miscreants during the first half of 2017 (1.9 billion) than all of 2016 (1.37 billion). Digital security company Gemalto's Breach Level Index (PDF), published Wednesday, found that an average of 10.4 million records are exposed or swiped every day. During the first half of 2017 there …

  1. Anonymous Coward
    Anonymous Coward

    The plan is to bring in the GDPR after there is nothing left to be disclosed. Sounds like it's right on track :)

  2. steelpillow Silver badge
    Devil

    More like data anybody noticed...

    Be honest, this is a measure of security activity. The actual losses have been far vaster for donkeys' years but nobody ever wanted to know.

    At last, infosec whistleblowing is no longer an automatic sacking offence (you do still need qualifications first, though)

  3. alain williams Silver badge

    What do you mean by ''lost'' ?

    I suspect that you mean ''laptop left on train'', or similar, ie misplaced - and possibly in the wrong hands.

    This is very different from ''data accidentally deleted''. There is sometimes a requirement for data to be kept for certain periods. I observe that embarrassing data, especially when asked for by a subject access request, has a propensity to become ''lost - accidentally deleted''.

    These two should be counted separately.

    Could we please start calling the ''left on train'' incidents ''misplaced'', not ''lost''.

    1. Nick L

      Re: What do you mean by ''lost'' ?

      It's worth reading the report, as it does explain a bit more... Accidental loss counts for 18% (166 incidents), with malicious outsiders being by far the biggest challenge (74%) but malicious insiders working their way up too at 8%, or 71 incidents...

      That's just one of the data points in there. There's plenty more.

      Take with a pinch of salt, but it is good evidence to change an organisation's mindset on security.

  4. SVV

    A poor reflection on the industry

    An entrencheched culture of management who still see security as a cost without benefits, combined with a lack of thinking on the part of system designers and implementers has led to this sorry state of affairs,

    How loudly and how often do you STILL need to shout "do not store identifiable user information in unencrypted plain text" before someone takes notice? I'm sick and tired of seeing company databases in the course of my work that have a User table with two columns (username, password) that do this. They often have a mandatory email address column too, enabling an attacker to have a good chance of getting into that user's accounts on other sites too. And the uninterested reaction from management every time I wearily point out what a bad idea this is is something I've come to expect. There are ways of organising a secure soltion via configuration and access control that make even an inside job more or less impossible.

    We need to spread the idea that if you take the lazy approach you have no right to call yourself an "IT professional". And any company / government who stores user credentials this way should be made legally liable for any and all losses that are incurred by users as a result, plus damages. Publicising the change in the law should spur all but the most stupid into action.

    1. Doctor Syntax Silver badge

      Re: A poor reflection on the industry

      legally liable for any and all losses that are incurred by users as a result, plus damages

      s/damages/fines/

      The users' losses are the damages. Otherwise, you're quite right.

    2. Anonymous Coward
      Anonymous Coward

      Re: A poor reflection on the industry

      Publicising the change in the law should spur all but the most stupid into action.

      Why? It's already a data breach is already an offence, the bulk of the change is simply that the penalties COULD be much higher. TalkTalk reported the internal costs of their 2015 data breach as £35m a figure that could have been easily estimated from previous research that puts this as only just above average in terms of cost per record lost. If instead of a "mere" 156k records, they'd lost 1m, then the costs would have been even higher, perhaps £150m. Both actual and my example dwarf current and likely fines under GDPR.

      So, if TalkTalk (and all the other careless UK hoarders of bulk data) aren't put off by the risk of their company being found guilty by the ICO, by the vast reputational damage, and by the prospect of recovery costs in the ballpark of £30m-£300m, why will these dinosaurs change?

      My guess is that most would, and would have done so a long time ago if they knew how. But they don't.

      Few if any directors understand IT. Few CIOs really understand the architecture and risk register of their IT estate in much detail. And the few overworked ITSec staff rarely have the luxury to see the full picture, simply because there's so much corporate code. Just from business change, corporate systems rapidly acquire Byzantine complexity; outsourcing and offshoring mean there's no historic knowledge, no local knowledge, no understanding of the fudges, bodges, and skeleton-filled cabinets. Documentation means nothing unless it is good documentation, you have people who can properly interpret it, and you can find the documentation after the contractors have departed to another gig. Now throw in a few mangagerial reorganisations, that always see the loss of senior staff who are complaining about ITSec risks.

      I'd love to see IT security improve, but I don't expect much change for the reasons above.

      1. Adam 52 Silver badge

        Re: A poor reflection on the industry

        "Why? It's already a data breach is already an offence, the bulk of the change is simply that the penalties COULD be much higher."

        Breaches themselves are not an offence, failing to secure adequately is. In the same way that crashing a car isn't a crime but dangerous driving is.

        GDPR covers a lot more than the larger fines though. There's mandatory disclosure, so reputation damage is always a risk. Then there's the subject access and consent rules so people can take action to make sure that the data isn't there to be lost. And then there's collective action that means everyone will be able to collect damages, not just those that can afford lawyers.

    3. Cynical Observer
      Coat

      Re: A poor reflection on the industry

      @SVV

      I can't be the only one who saw the comment title and thought...

      "Need better Data Mirroring!"

      Mines the one with the compact. ---------->

  5. Tigra 07

    All is lost

    And yet Theresa May still wants encryption banned or discouraged despite local government needing it and not using it.

  6. Doctor Syntax Silver badge

    It's not surprising. Big Data means more data to be snaffled.

  7. Anonymous Coward
    Anonymous Coward

    I'm alright, I keep my data in a jar at the back of the kitchen cupboard next to the hob nobs.

  8. CheesyTheClown

    You mean more detected loss?

    Call me an asshole for playing the causality card here.

    Did we lose more data or did we manage to detect more data loss?

    1. Scott Broukell

      Re: You mean more detected loss?

      My dear Cheesy, sadly, from such data, it would appear that overall we all lost more manage.

  9. CaitlinBestler

    Security Is Not Hopeless

    Whody en you listen to the breached companies lament you would get the impression that cyber-security is impossible.

    But consider for a moment that we do not have routine electronics looting of bank accounts, or of confidential files have by law firms for clients. Somehow *those* records can be kept secure.

    Nobody designs their bank accounts so that a single password can abscond with the entire assets of a company, but apparently that is all it takes to steal all of the data held about consumers. But that's understandable, cash has real value that needs protecting.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like