Cybersecurity Headache – Corporate Data Breaches Soar, Cost Per Person Up, Too

Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches, according to a new Ponemon survey released this week and first reported by CNET News. The incidence of malicious attacks rose from 12 percent in 2008 to 24 percent last year, according to the 2009 Annual Study: U.S. Cost of a Data Breach survey conducted by the Ponemon Institute and sponsored by PGP Corp. The cost per compromised record involving a criminal act averaged $215, about 40 percent higher than breaches from negligence and 30 percent higher than those from glitches, the survey found. For the first time, companies reported in the survey that data-stealing malware caused their breaches. The average organizational cost of a data breach increased nearly 2 percent to $6.75 million in 2009, while the average cost per compromised record per breach rose only $2 to $204. The most expensive breach in the survey was nearly $31 million and the least expensive was $750,000. Meanwhile, 42 percent of all cases reported in the survey involved mistakes made at third parties, such as outsourcers, and 36 percent of the cases involved lost or stolen laptops or other mobile devices.

In unrelated news, a widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase. As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said a security researcher at the University of Cambridge. That is despite what the researcher and a security engineering professor contend are several flaws with 3DS.

Security Magazine’s online archive has additional information on cybersecurity issues. Go to www.securitymagazine.com