We often hear about the hundreds of data breaches that hamper organizations every year and the impact cybercrime has on merchants, financial institutions and consumers. But rarely do we see the criminals behind these attacks identified by law enforcement, and it is an even rarer sight to see these criminals brought to justice. For many cases involving a data breach, it can take years to gather enough evidence for law enforcement to move forward with an investigation.
To better understand why there is such a delay in bringing cybercriminals to justice after a data breach has occurred, we have to to understand the lifecycle of a breach. If your organization is lucky enough or has invested resources into a comprehensive security portfolio, a malicious cybercrime may be detected internally. For the majority of organizations, the norm is to be informed of the breach by law enforcement officials or financial institutions, concerned about protecting their cardholders from future fraud. In the 2015 Cost of Data Breach Study published by The Ponemon Institute and IBM, the average time it took an organization to detect a malicious cyber-attack was 256 days, up from 170 days in 2014. While there is not a concrete explanation for this rise in detection time, but some security researchers believe that cybercriminals are using more advanced attack methods to carry out their plans.
After detecting or being informed of a breach, organizations then must turn their attention to minimizing the impact of the breach before cooperating with law enforcement officials to uncover those responsible for the breach. In the same study, the mean time to contain a data breach is 69 days with a range of 7 to 175 days. At this rate, it would take on average 325 days for a breach organization to detect and contain the breach. Once a forensic investigation has been completed to determine the cause and scope of the breach, law enforcement officials can begin their investigation. While every breach investigation being so different, several months to years can pass before indictments are brought upon the alleged culprits.
Over the 2013 holiday shopping season, Target had been the latest victim of a data breach, compromising the payment and personal information of tens of millions of customers. As we approach the two-year mark for Target’s massive breach, there has yet to an arrest related to the theft of Target’s customer information. In 2014, it was believed that the first culprit of the data theft was arrested in Texas. Shortly after, a law enforcement official with knowledge of the breach investigation told Reuters that arrest was unrelated to the data theft. It would be shocking to see if those responsible for one of the largest data hacks in recent history to go unpunished, but it could take longer than expected.
In 2007, payment processor Heartland Payment Systems was the victim of a data breach that shook the entire payment ecosystem. At the time, this data breach was one the largest data breaches to be discovered, compromising as many as 100 million credit and debit cards. It took U.S. federal authorities over six years to gather enough evidence to indict five individuals for a series of cybercrimes from 2007 to 2011, including the Heartland Payment Systems breach. So confident in their payment processing technology, Heartland Payments Systems announced its new breach warranty for its customers in January of this year.
The warranty program would reimburse any merchants for costs incurred from a data breach involving the Heartland Secure payment card processing system. As you can guess, this program did not pan out as expected. Heartland paid out roughly $140 million to affected merchants after fines and other penalties were added up. After the dust settled, one individual was arrested and found guilty in the attack. If that wasn’t enough headaches and stress for one organization, Heartland made the headlines yet again. On May 8, a burglary took place at Heartland’s payroll office, potentially compromising approximately 2,200 individuals after 11 computers were stolen.
Recently, law enforcement officials across the globe have had success in identifying and indicting individuals behind various data breaches. As we approached the end of October, British phone and broadband provider, TalkTalk, issued a statement that the company had been one of the latest victims of a data breach. In less than three weeks, the U.K. Metropolitan Police Cyber Crime Unit made its fourth arrest in connection to the TalkTalk breach. U.S. authorities recently indicted three men for their alleged involvement in the cybercrime that targeted twelve financial services corporations including JPMorgan Chase, Scottrade and others.
Organizations, regardless of size, can no longer be passive when it comes to protecting their network systems and the sensitive data stored within. A security portfolio is needed with tools to prevent network intrusions from ever occurring and when that fails, a detection tool is needed to pick up the slack. Check out some of the most common data security misconceptions and make sure you haven’t heard these lines in your organization.