UK named and shamed as Europe's worst country for data breaches

Over one billion records were compromised last year as data breaches became a regular occurrence, especially in the UK, according to a new report.

UK named and shamed as Europe's worst country for data breaches
UK named and shamed as Europe's worst country for data breaches

The latest Breach Level Index from Gemalto's SafeNet revealed that the number of compromised data records increased by a staggering 78 percent to just over one billion in 2014, with data breaches also on the up, rising 49 percent year-on-year to 1,541 incidents. 

The report is particularly bad reading for UK businesses and their IT security departments, as it concluded that the country was the worst in Europe, and the second worst in the world, when it came to the sheer number of breaches last year. 

Citing high-profile examples such as Mumsnet, Moonpig and Axa Healthcare, Gemalto revealed that there were 117 breaches in the UK last year, compared to just 9 in France and 8 in Germany. To put this figure in context, there were 190 breaches in Europe as a whole, meaning the UK's portion accounted for over 60 percent. 

This figure put the country – whose Prime Minister David Cameron has been pushing for an end to encryption – second in the world, behind only the United States with 1,164 breaches in the last year. The US accounted for every three in four breaches (76 percent). 

Interestingly, while ‘malicious outsiders' were cited for over half of data loss incidents, a quarter were down to accidental loss, which significantly eclipsed the much-talked-about malicious insider (15 percent) and state-sponsored actors (four percent). Hactivists were to blame for an even smaller portion than that. 

Where cyber-criminals were involved, Gemalto says that they were specifically hunting for identity-based theft of information. 

“We're clearly seeing a shift in the tactics of cyber-criminals, with long-term identity theft becoming more of a goal than the immediacy of stealing a credit card number,” said Jason Hart, VP of cloud services, identity and data protection at Gemalto. 

“Identity theft could lead to the opening of new fraudulent credit accounts, creating false identities for criminal enterprises, or a host of other serious crimes. As data breaches become more personal, we're starting to see that the universe of risk exposure for the average person is expanding.” 

The report also drew some interesting comparisons between industries, noting that while retail and financial services breach had not changed significantly, both had seen the number of data records lost go up exponentially.

“Being breached is not a question of ‘if' but ‘when.'  Breach prevention and threat monitoring can only go so far and do not always keep the cyber-criminals out,” Hart added. “Companies need to adopt a data-centric view of digital threats starting with better identity and access control techniques such as multi-factor authentication and the use of encryption and key management to secure sensitive data. That way, if the data is stolen it is useless to the thieves.” 

Responding to the news, PA Consulting security experts Edward Savage and Stephen Bailey told SCMagazineUK.com that criminals remain a step ahead of security professionals. 

“PA's recent survey showed that security professionals are increasingly confident that they are doing what they can,” said Savage. “Understanding of cyber-risks is increasing too. But the industrialisation of criminal activity, and the fact that people are still making it easy for criminals through unthinking action, is leading to growth. The solution lies not just with technical solutions but with better education and behaviour change. 

Bailey added: “As good quality malware becomes more available and easier to deploy it is lowering the entry bar to those wanting to carry out malicious activities. This is increasing the numbers of attackers. 

“Businesses do seem to be falling victim to the same sorts of attacks that keep exploiting the same vulnerabilities, which suggests businesses aren't learning from others or perhaps not moving quickly enough with their security improvement programmes.

There is no real substitute for testing your infrastructure and applications using ethical hackers deploying the same tools and techniques as the bad guys. Make sure your security improvement programmes have cyber-awareness at their core. Technology alone won't protect you from a determined attacker.”

Thom Langford, director of global security office at Sapient, told SC that breaches were bound to increase and added that UK would always be targeted.

“Has the UK become a place of rich pickings for cyber-criminals? Or is it simply one of the more attractive targets because of the wealth if international business is based out of here? To be sure, the UK's CSIRT capability has taken longer than many other countries to mature, but I don't see that as the main reason for such a dramatic increase. It would be interesting to see the rises in attacks compared to other countries over longer periods of time to really see if there is a causation rather than a correlation.” 

Langford, a speaker at SC Congress, said that the move to identity fraud would have a real impact on end-users.

“The shift to long term rewards in the form of identity theft dips is an interesting one. Credit card information has become very easy to replace, and losses have been increasingly covered by insurance. The impacts are more quickly realised and dealt with. In contrast the ramifications of identity theft could take significantly longer to be felt, and are much harder to deal with. 

“Criminals are far more organised than they ever have been to date, and until national crime agencies truly get to grips with these groups, both at a personnel level as well as at a domain level, the cost of attack is always going to outweigh the cost of being caught."