According to a report released Tuesday by the breach-tracking Identity Theft Resource Center (ITRC), there were 646 data breach incidents reported in 2008, a 47% increase over 2007's total of 446 breaches, itself a record for the most breaches tallied in a single year.This statistic doesn't shock me for 2 reasons. First, not until recently have Oregon, Wyoming, Massachusetts, and Georgia implemented data breach disclosure regulations and laws - so we can account for the uptick in breach disclosures that way. Second, each year more and more systems are being plugged into the "Internet" and exposed over the world wide web for black-hats to attack.
Considering those two things... I'm not actually shocked at all by a 47% increase, in fact... I think that 2008 was a relatively tame year (as far as increases go). Now... here's where my mind diverges from common thought.
This record number of breach disclosures isn't actually accomplishing the goal that information security and risk management professionals were hoping for. In fact, I'm starting to think that the average CIO has gotten over the shock and awe value of finding their competition on the front page with egg on their face and has started to become apathetic. Yes, I think the shock value of a data breach has lost its luster. Early last year I could walk into a retailer and talk about how their competitor just got massively hacked, exposed, and ransacked and it would evoke an immediate panic and at least the hint of change in the air. Today... a slightly different reaction.
The reaction I'm getting lately is...
"So what, so now that it's happened to almost everybody... won't be just be one of the many faces in the crowd? How much do users/buyers really care?"That reaction genuinely worries me. I'm still blaming the end-users for corporate America's apathy towards data breaches. We're not holding them accountable. We're not holding big (and small) corporations accountable and filing suits, investigations, and demanding action against them otherwise. We keep using their eStore-fronts to continue to buy, transact and otherwise carry on their business.
Shame on the end-users. Only you can change corporate apathy towards data breaches and information disclosures... Maybe there needs to be a Smokey the Bear -type mascott? (Remembers "Only you can prevent forest fires"... --> "Only you can change corporate data breach apathy".... not the same ring) I don't know.. anyone have an idea?