Data breach disclosure times, and why they need to improve


Are companies quick enough at disclosing when they have been attacked by personal data hunters? Or should they be doing more to keep their user bases informed? According to a new data security report, they should be doing a lot more – and more quickly.

According to the latest “Data breach quick view report” produced by data protection firm Risk Based Security, the length of time between the discovery and reporting of a data breach is gradually decreasing but is still far too high.

One of the myriad requirements of the General Protection Data Regulation (GDPR), the new EU legislation that has forced any company which deals with your personal data to send you umpteen confirmation emails over the past few months, is for organisations to report any data breach to authorities within 72 hours of becoming aware of the event.

Moreover, prompt disclosure of breaches is becoming standard practice for regulators around the world. Some in the financial services sector require organisations to report any foul play within as little as an hour of discovering the breach – something demonstrated with TSB’s online banking woes that have been taking place over the past few weeks.

According to Risk Based Security’s research, however, and despite improvements in the past few years, the average gap between discovery and disclosure of a data failure stands at 37.9 days for the first quarter of 2018. Though that is indeed a significant improvement on the same period in 2017 – when the average period was 42.7 days, as well as 2016 (68.9 days) and 2015 (82.6 days) – it is a long way shy of the snappy turnaround required by the GDPR, which takes effect this month.

Inga Goddijn, executive vice-president at Risk Based Security, says that with the GDPR looming (and the potential sanctions that firms could face being hefty) her firm wanted to demonstrate how difficult data-handling companies are still finding it to conform to Article 33, the part that mandates the 72 hour notification standard.

She reveals that in numbers alone, there were only 686 breaches reported in the first quarter of 2018, versus 1,444 in the same period last year. The likely reason for this is not improved security practices or the impact of the GDPR, she says, but rather a shift in tactics by cyber criminals who are targeting more lucrative information to steal, such as tapping into illicit cryptocurrency mining.

Goddijn notes that the spike in the value of cryptocurrencies that took place in January fuelled a rapid expansion into the theft of computing resources.

“While there is no direct data linking the rise of crypominers to a reduction in data breach activity, there are tantalising bits of evidence that lead us to believe there is some level of relationship at play here,” she adds.

Elsewhere, the report delves into the trends behind different kinds of cyber attacks and finds that, in general, the tendencies recorded at the end of 2017 are continuing on into this year. The top five breach types that dominated recent reports – hacking (unauthorised access), skimming, inadvertent disclosure on the internet, phishing and malware – all remained the top breach types in 2018.

“Other than the dip in the number of data breaches reported, Q1 2018 was very much in lock-step with recent quarters,” said Goddijn. “If there was a truly seismic shift in breach activity, we would expect other metrics to show some signs of change as well. Given this, we think the jury is still out on whether the dip is a one-time blip or part of a larger trend.”

So, although the tactics of cyber attackers are not changing on the surface, it appears as it their motives for attacking may be subtly changing. It’s also true that once discovered, most have a decent length of time in which to make their safe escape.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *