The dark side of data breaches – what is your personal data worth?

There is a lot of discussion - and rightfully so - about the upcoming GDPR and how organisations are changing processes, culture and technology to be compliant. And - as is natural with regulatory requirements - there is some grumbling about overreach and scope. Does GDPR apply to UK companies after Brexit (answer: yes, if you are managing PII of European citizens). Aren't some of the fines excessive? (note: fines for data breaches can reach up to up to 4% of annual turnover, or 20,000,000 euros, so yes, penalties are high).   But it is worth recognising how we got here and why it is so important to safeguard the personal data of employees, customers and citizens. There have been numerous, high profile data breaches - in the UK, US and EU - which you likely have heard about and many more which haven't been as widely reported. In many cases, hackers and criminal elements have been able to access personal data such as credit cards, government-issued identity numbers for tax and residency, health records and other private data.   Why do criminals go to so much trouble? It's all about the money. Personal data sold on the dark web is a big business, and the price of stolen information varies dependent upon the type. Some estimates include the following:  

• Corporate credit card details can be sold for as much as £35.50
• Personal credit card details, depending on how much more information they come with (home address, date of birth, mother's maiden name, etc.) and whether they are verified or not, can be sold for up to UK£4.97 on the dark web
• Facebook credentials can cost as much as UK£3.55
• Google+, Skype, YouTube, and Dropbox credentials can cost as much as UK£5.68.
• eBay credentials, depending on how actively used the account is, where its owner is from, and its rating, can cost as much as UK£16.33.
• Amazon credentials, depending on the balance on the credit card it is associated with, can cost as much as UK£10.65.
• Twitter credentials are approx. £1.78
• Uber credentials are approx. £2.84
• Corporate credit card details can be sold for as much as £35.50
• Personal credit card details, depending on how much more information they come with (home address, date of birth, mother's maiden name, etc.) and whether they are verified or not, can be sold for up to UK£4.97 on the dark web
• Facebook credentials can cost as much as UK£3.55
• Google+, Skype, YouTube, and Dropbox credentials can cost as much as UK£5.68.
• eBay credentials, depending on how actively used the account is, where its owner is from, and its rating, can cost as much as UK£16.33.
• Amazon credentials, depending on the balance on the credit card it is associated with, can cost as much as UK£10.65.
• Twitter credentials are approx. £1.78
• Uber credentials are approx. £2.84

Source:  http://www.trendmicro.co.uk/enterprise/data-protection/eu-regulation/#calculatorp  

  Is your organisation at risk? Potentially yes, according to new research by the industry association AIIM.org. Their research among 200+ organizations found the following:  

• 48% of the respondents rated the maturity of their company´s information governance policies as poor or extremely poor;
• 10% of respondents report data loss due to staff negligence or bad practices within the last 12 months;
• 34% of respondents say their companies do not offer them Information Governance training at all. Fifteen percent say IG training is provided only at induction to the workforce.

  The chart below shows that - based on self-reported data breaches, unauthorised data access issues and poor data discovery processes - Information Governance issues are prevalent throughout a number of organisations.   Email and other unstructured information is usually 80-90% of enterprise information, and this one of the biggest compliance risks. Think of how ubiquitous email is used today for sharing information: as an example, have you ever sent or received corporate credit card details via email (text or image?). AIIM analysed therefore how well this is managed within enterprises.  

How would you describe the governance of emails or chat sessions in your organization?

How would you describe the governance of emails or chat sessions in your organization?

  Bringing it back to the cost of personal data on the dark web and the heavy fines imposed by GDPR, we can see that there are too many potential risks to organisations (and with very heavy consequences) of managing PII without clear and consistent regulatory guidance, independent industry insight and a strong information governance strategy.   Interested in learning more? Download the latest Industry Watch report now to see the latest benchmarks about how organisations are managing their information, tips on potential areas of risk and insight on how to better manage your valuable information assets.