As part of the B-Sides San Francisco security conference, Verizon Risk researchers Kevin Thompson and Suzanne Widup have presented findings about the number of major data breaches that could be occurring each month. By “major” the two researchers mean any security breach where more than 1,000,000 records are stolen. If their findings are accurate that means that up to 3 million records are stolen each and every month!
The findings were presented as part of the pair’s “Ripped from the headlines, what the news tells us about information security incidents” talk. As part of their research Thompson and Widup have been investigating the data breach numbers since May of last year. Using a combination of Verizon’s Data Breach Investigations Report and the open-source Veris Community Database the pair compiled over 3,000 data sets from sources including news articles, the Attorney General’s website, government breach tools and Freedom of Information Act requests.
Although the data set isn’t perfect and the research is continuing, one thing is clear, the number of major data breaches is much higher than previously thought. The number of three major data breaches per month was reached using data from 2011 to 2013 coupled with Poisson Distribution theory – a mathematical tool which expresses the probability of a given number of events occurring in a fixed interval of time.
At the end of last year Trend Micro predicted that “we will see one major data breach incident each month in 2014.” However the new number is triple that amount. “When I saw Trend Micro’s prediction I thought it was pretty high,” said Thompson. “But the estimate is actually pretty low right now.”
Thompson told SCMagazineUK.com that the actual figure was 3.07 and that 2010 was not included as data breaches were not as widely reported at the time. Verizon’s data is available on Github and the researchers are actively seeking for data to help with the research.