Putting Breaches in Perspective


April 29, 2014

By Richard Stiennon

Last year SafeNet sponsored my work on a project to develop the Breach Level Index (BLI). The BLI is designed to provide a simple way to input publicly disclosed information on data breaches and calculate a score indicating breach severity.

I looked at other scales that had been created such as wind severity classified by the Beaufort Scale, volcanic eruptions by the Volcanic Explosivity Index, earthquakes by the Richter Scale and, probably the best known, Saffir-Simpson scale for reporting hurricane severity.

SafeNet has been issuing quarterly reports on breach severity and the latest was released today. In terms of stolen records there has been a 3X jump from 60,271,416 in Q1 2013 199,938,458 in Q1 2014. The total number of breach events dropped slightly from 260 to 254.

An interesting turn of events is that insiders accounted for 52% of the breached records, although only accounting for 28 of the 254 incidents.

Using the BLI SafeNet was able to point out:

  • Worst breach was Korea Credit Bureau by malicious insider with a score of 10 and 104 Million records stolen.
  • Worst US Breach – Forbes from malicious outsides with score of 7.9 and over 1 Million records stolen (unless you count global ones like the Visa/MC breach.)
  • Worst Healthcare – St Joseph’s Healthcare System with 7.8 and 405,000 records stolen.
  • Worst University – University of Maryland with 287,000 records stolen and 7.7 on the scale.
  • Worst financial services Visa/MC AMEX Discover with 7 million records accessed and an 8.3 score.
  • Worse retail was Sally Beauty Supply with a 7.5 and 282,000 records accessed. This didn’t make the news.
  • The country of Korea was hit the worst with 4 of the top 5 breaches.

Of course public breach reporting is still not required world wide so the US has the most breaches (190 compared to 1 in LATAM and 32 in Europe.)  The scope and severity of breaches are bound to increase as reporting gets better, and attackers get more aggressive. 

comments powered by Disqus

About Security Current | Privacy Policy | Subscribe to our newsletter