Skip to main content

The Non-Rise of the Massive Data Breach

Massive data breaches aren't getting any bigger, researchers say—but that might just mean the IT department is doing its job.
(Photo: McIek/Shutterstock)

(Photo: McIek/Shutterstock)

With word last week that a massive attack on the Office of Professional Management's computer servers is even worse than originally thought, and with news coverage of massive data breaches growing more common, you'd think hackers are reaching into ever-larger databases. But in reality, data breaches are down in size compared to a decade ago, according to a recent report—though the researchers caution that this is no time to let our guard down.

Reading the news, it's easy to imagine malicious hackers are wreaking ever more havoc on corporate America and the government. Last year, the computer security firm Symantec Corporation, probably best known to most Americans for its Norton anti-virus software, reported that data breaches were on the rise. Following that report, security failures at Home Depot, Anthem Blue Cross, and the OPM released tens of millions of credit card numbers, social security numbers, and, in the OPM attack, more than five million federal employees' fingerprints. Those attacks and others led Congress and the White House to call for new data security regulations and notification rules in the event of a breach.

The average size of a malicious breach declined from about 5,200 exposed records in 2005 to about 4,600 this year.

But aside from growing chatter, are cyberthreats like these actually getting worse?

The short answer is "no," write computer scientists Benjamin Edwards, Steven Hofmeyer, and Stephanie Forrest. In a study presented at the 2015 Workshop on the Economics of Information Security held last June, the trio analyzed scores of data, including dates and breach sizes, catalogued by the Privacy Rights Clearinghouse, a non-profit devoted to consumer privacy. If one simply plots that data—say, the yearly average breach size—it looks like attacks have been getting bigger since 2012. But it's messier if one looks at the month-to-month averages, and it becomes unclear whether there's a real trend.

To get a better handle on what's going on, Edwards, Hofmeyer, and Forrest constructed a statistical model to search for trends in the average breach size, even in random-seeming data. Analyzing the PRC data with that model, the researchers estimated that the average size of a malicious breach declined from about 5,200 exposed records in 2005 to about 4,600 this year. Negligent breaches—arising from a misplaced laptop, for example—didn't change at all. The average size of large breaches, defined as those involving 500,000 people or more, stayed constant over the last decade.

"The idea that breaches are not necessarily worsening may seem counter-intuitive," Edwards, Hofmeyer, and Forrest write, but the findings could be related to the Red Queen hypothesis in biology, itself borrowed from Alice in Wonderland: "It takes all the running you can do, to keep in the same place." That is, large breaches may not be on the rise precisely because computer security experts have been vigilant in the face of these risks.

In other words, stay on your toes, IT department.

Quick Studies is an award-winning series that sheds light on new research and discoveries that change the way we look at the world.