Security Manager's Journal: Breaches are everywhere

A look back at the top 20 data breaches of 2014 -- over 450 million records compromised -- points to the new normal.

Follow me, if you will, on a journey back in time to just one year ago. As 2013 turned into 2014, the information security industry was buzzing about the latest spate of breaches. Target had ushered in a new era of retail security breaches, with 40 million card numbers lost to the hackers. Little did we know at the time that this was just the beginning, and small potatoes in comparison to what was to come. One year ago, Neiman Marcus and Michaels had joined Target, and I wrote in response to the growing number of breach disclosures that "in fact, I have to wonder which retailers have not suffered breaches. The word on the street is that at least a half-dozen other retailers were compromised in the past few months, without publicity." Sadly, this turned out to be true. I hate being right all the time.

It turned out that 2014 saw at least 20 highly publicized security breaches (that's more than one every three weeks on average). Just as we learned the details of one breach, another one would hit the news. I don't know about you, but it kept my head spinning.

Let's look back at some of the highlights, to put things in perspective.

That comes to over 453 million -- the grand total of all the card numbers and personal information records stolen during the year 2014 (that we know about to date -- millions more may be disclosed in the coming months). There are 316 million people in the United States. Looking at these statistics, I'd say the chances are pretty good that nearly all of us have been affected by the breaches of 2014. You can safely bet that your own card numbers, passwords, email addresses, contact information and other personal information were compromised in at least one of these breaches.

It's a new day for information security practitioners -- a dark, cold, serious day. The world we live in has changed. Our job used to be to defend against reasonably foreseeable, potential, theoretical threats. It still is -- but we no longer need to rely exclusively on risk models and threat prediction to determine where and how to place our defenses. We know where and what the threats are now. They're out there, in plain sight, organized and deadly efficient, boldly smashing and grabbing. We have seen the enemy, and this is war.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Tags intrusionTargetCybercrime & HackingNeiman MarcusMichaels

Show Comments