In our ongoing saga of retail security “reality versus perception” (Note: always bet on perception. Reality is a nice guy who, in all fairness, is a loser), we have the question cropping up of whether data breaches are becoming less common. The answer is straight-forward: No, of course they’re not becoming less common. But the explanation is complicated, mostly involving the subtle distinction between the number of “data breach reports” declining and the number of actual data breaches declining.
This issue cropped up recently thanks to an interesting report on a well-respected site tracking data breaches. The report in Data Loss DB was trying to make sense of the fact that the number of data breaches they’ve been covering has dropped rather steadily all year.
Let’s drill down into these numbers a bit. First, Data Loss DB bases its reports on tracking media around the country. So if the number of stories slows down, that might have nothing to do with the breaches slowing down. Publications are cutting back and data breaches were new and sexy last year, much less so now. If media outlets are getting bored with data breaches, that could cause a sharp drop in the number of data breach stories.
And even if the media interest has not deflated, retailers (and banks and hospitals) are getting a lot better at keeping such information quiet, which would also reduce the number of stories. Lawyers are getting better at skirting disclosure laws, too. New federal efforts to tighten such laws will actually have the opposite effort, so this problem isn’t going to get better any time soon.
Layer atop that the fact that cyber thieves are pursuing large volumes of card numbers, which may result in more cards being taken but fewer individual breaches. Because Data Loss DB logs every breach as a single breach (whether 100 names were taken or 100 million names were taken), this will also cause a drop, albeit a meaningless one.
Speaking of cyber thief professionalism, a key reality-versus-perception issue is awareness. What if there were a lot more breaches but the victims—due to thieves covering their tracks better—were not aware of them? In many of the most recent breaches, a common theme is that retailers, despite millions of dollars worth of sophisticated security software and hardware, were almost universally unable to halt the attacks.
But much worse, their expensive security systems didn’t even alert them to the incidents as they happened and the systems rarely even flagged the incidents after they happened. Typically, it was a heads-up by Visa/MasterCard, processors or the U.S. Secret Service (“Sorry, ma’am, but it looks like you’re the common point of purchase with a huge number of bogus transactions we’re now seeing”) given to the retailer long after the bad guys have packed up their sniffers and moved on to another victim.
Therefore, because retailers can’t report breaches that they don’t yet know about, a drop in the number of reported breaches could truly mean very little.
All of those excuses aside, we can now get to the core issue. Are retailers better protected today? Have they learned their lesson and are they actually running more secure networks than before? The answer to that question, as narrowly phrased, is “Yes, absolutely.” But it’s more along the lines of “Retailers were two percent effective against data thieves before and today they’re nine percent effective.” They’re certainly more secure than they were, but they aren’t even close to being sufficiently secure.
There is some good news, though. Although the state of retail security is still quite shy of where it needs to be, two other players have made huge improvements: the card brands and federal law enforcement.
The fraud detection programs of Visa, in particular, have gotten impressively sophisticated. They are detecting likely fraud a lot more quickly and deactivating suspect cards almost immediately. That means that cyber thieves need to steal even larger number of cards to run a profitable business. How many cards that are stolen is a minor concern for the thieves compared with “How many will still be valid when I try and sell them on the black market tomorrow?”
At the same time, the feds are doing rather well at shutting down black market venues. Their extensive use of undercover agents (yeah, Gonzalez was an undercover agent. You had to bring that up?) has made even the most polished cyber thieves a little nervous about who to trust with stolen goods.
Bottom line: data breaches are still happening today, but we may see a drop a year or two down the road. But why the sharp drop in reported breaches in 2009? It’s like a well-done surprise party. Just because you don’t know about it doesn’t mean it’s not going to catch you offguard tomorrow.
Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.