Wednesday, August 6, 2014
Companies large and small appear to have been targeted in what is being described as the largest known data breach to date.
As first reported by The New York Times, a Russian crime ring amassed billions of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses.
The NYT said it had a security expert not affiliated with Hold Security analyze the database of stolen credentials and confirm its authenticity.
The records, discovered by security experts Hold Security, include confidential material gathered from 420,000 websites, ranging from household names to small Internet sites.
According to Hold Security’s own report, the hackers didn’t just target large companies. They targeted every site that their victims visited:
The NYT said so far the criminals have not sold many of the records online, but appear to be using it to send spam on social networks.
If ever there was a reason to research – and buy – cyber insurance, this would be it.
In its recently published paper Cyber Risks: The Growing Threat, the Insurance Information Institute (I.I.I.) notes that reliance on traditional insurance policies is not enough, as companies face growing liabilities in this fast-evolving area.
Following the Target data breach and other high profile breaches, the I.I.I. said the number of specialist cyber insurance policies is increasing, and that insurance has a key role to play as companies and individuals look to better manage and reduce their potential financial losses from cyber risks.
It cited data from broker Marsh showing a 21 percent increase in the number of clients purchasing cyber insurance from 2012 to 2013. That growth is accelerating in 2014.
Meanwhile, a new report from PwC US and the Investor Responsibility Research Center Institute (IRRCi) indicates that while companies must disclose significant cyber risks, those disclosures rarely provide differentiated or actionable information.
According to the report’s authors:
The consequences of poor security include lost revenue, compromised intellectual property, increases in costs, impact to customer retention, and can even contribute to C-level executives leaving companies.”
It suggests that investors focus on corporate preparedness for cyber attacks, and then engage with highly-likely targets to better understand corporate preparedness and to demand better and more actionable disclosures (though not at a level that would provide a cyber-attacker a roadmap to make those attacks).