Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Study: Breaches of Personal Data Now Prevalent in Enterprises

Eighty-five percent of enterprises have experienced at least one reportable incident in the past 12 months

Data breaches involving personally identifiable information are no longer the exception among enterprises -- they're now the rule.

According to a study released yesterday by the Ponemon Institute and Deloitte & Touche, 85 percent of the security or privacy executive surveyed -- some 800 individuals -- claimed at least one reportable security incident in the past 12 months.

Sixty-three percent said they have experienced between six and 20 breaches affecting personally identifiable information (PII) in the past year.

"Frankly, I’m shocked by the high percentage of PII data breaches we’re seeing occur within organizations," said Rena Mears, Deloitte global and U.S. privacy and data protection leader. "This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle."

"The astonishingly high rate of data breaches is undermining public trust in both commercial and governmental organizations and points to an urgent need for privacy and security to be elevated as a coordinated, strategic imperative within all organizations," said Larry Ponemon, chairman and founder of the Ponemon Institute. "Our research suggests that privacy and security are still largely reactive, siloed functions."

According to the researchers, the data suggests that a disconnect remains among IT security, privacy officers, legal, and compliance officers. The study found, for example, that privacy officers generally report to the legal department (38 percent) or a compliance officer (21 percent); IT security people generally report to the CIO (76 percent).

Security and privacy officers also continue to spend the majority of their time fixing problems, rather than preventing them, the researchers said. According to the study, more than 50 percent of the time of the survey respondents is spent on more reactive and tactical activities, such as remediation of operational vulnerabilities and responding to incidents in real time.

Respondents also complained that the breach notification process takes too long. Close to 20 percent of privacy and security professionals are spending their time notifying consumers and stakeholders of a data breach, the study says. The respondents feel that, ideally, they should be spending less than 5 percent of their incident response time on notification.

By contrast, respondents said they spend only 10 percent of their time developing their incident response programs, and just 7 percent of their time on employee training.

"The good news for the emerging privacy function is that privacy and security professionals are coming to agreement on the strategic requirements necessary to effectively address the issues associated with privacy and data protection," said Mears.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Deloitte & Touche USA LLP
  • Ponemon Institute LLC }

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/25/2020
    Hacking Yourself: Marie Moe and Pacemaker Security
    Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
    Startup Aims to Map and Track All the IT and Security Things
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-15208
    PUBLISHED: 2020-09-25
    In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
    CVE-2020-15209
    PUBLISHED: 2020-09-25
    In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
    CVE-2020-15210
    PUBLISHED: 2020-09-25
    In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
    CVE-2020-15211
    PUBLISHED: 2020-09-25
    In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
    CVE-2020-15212
    PUBLISHED: 2020-09-25
    In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...