Cloud computing data breaches currently fewReprints
Data breaches seem to be everywhere these days except the one place everyone fears—the cloud.
Despite major breaches in 2011 affecting Expedia Inc.'s Trip Advisor, email marketing provider Epsilon Data Management L.L.C., Sony Corp.'s online entertainment services, and the Institute of Electrical and Electronics Engineers—to name a scant few—cyber criminals for the most part have kept their activities, well, earthbound. The cloud may be the place with more competitive, proprietary and personal information locked away; but other than a handful of reported breaches, it's either impenetrable or has been largely left alone.
“Most of what we've seen happen are breaches that result in downtime, but not the loss of personally identifiable information like customer and employee Social Security numbers and birthdates—at least not yet,” said David Navetta, a partner at Denver-based Information Law Group. “That's the big concern, of course, since a single cloud provider may house sensitive information on tens, if not hundreds, of thousands of individuals.”
This experience stands in stark contrast to data breaches of corporate systems. Through Dec. 16, 2011, Privacy Rights Clearinghouse had tracked 535 breaches involving 30.4 million sensitive records. Since 2005, the organization has identified total reported breaches involving at least 543 million records, and this is a “conservative number,” according to information posted on the organization's website.
Of late, hackers seem to be lowering their sights to midsize and smaller enterprises, which also store a treasure trove of personally identifiable information but generally lack the security measures of their larger counterparts.
Of the 761 data breaches investigated in 2010 by the U.S. Secret Service and Verizon Communications Inc.'s forensics analysis unit, 63% occurred at companies with 100 or fewer employees. And a 2011 survey by security systems provider Symantec Corp. of more than 2,000 small and midsize enterprises indicated that 73% had been breached by a cyber attack, with the average annual cost per organization pegged at $188,242.
Why aren't cyber criminals aiming higher—in the cloud? One can argue that vendors are acutely cognizant of the reputational risk of a major data breach involving consumer information and, therefore, have battened down the hatches. As Jay Heiser, vp of research at technology consultant Gartner Inc., puts it, “Cloud providers put more emphasis on security than other entities. If they didn't, they'd fall over.”
Others agree. “Potential data breaches in the cloud are talked about a lot, but there hasn't been much to point to,” said David Black, chief information security officer at Aon eSolutions, the technology solutions business of Chicago-based Aon Corp. “The reality is that cloud vendors know that security is the big risk to their entire business model. If they were to experience a major breach, they're sure to go out of business.”
Yet another reason for the relatively low number of cloud breaches was offered by David Roath, risk assurance partner at PricewaterhouseCoopers L.L.P. and leader of the consultancy's information technology security practice: “Their reputation depends on not incurring a breach; consequently, they will do everything they can, if there is a breach, to ensure it isn't made public.”
Not that there haven't been some partings of the cloud.
“Google had a big failure in March (2011), involving the deletion of 150,000 Gmail users' emails, applications, contact and calendar information—basically their entire accounts,” Mr. Heiser said. “The email contents and contact contents were just gone. Google attributed this to a software upgrade that had unexpected consequences. It took Google four days to fully restore data to the impacted users, which is a very long time, given that Google characterized this as impacting much less than 1% of its accounts.”
Similar cloud computing applications include Microsoft Corp.'s Azure and Apple Inc.'s MobileMe and iCloud offerings. The Microsoft Business Productivity Online Suite, aimed at commercial enterprises, reportedly was hit with a data breach in 2010, and customers of the BPOS cloud service apparently could download information on other customers of the suite, albeit inadvertently. The technology giant said it resolved the issue within two hours of its discovery, and only a few customers were involved, according to reports.
Other commercial cloud vendors have suffered breaches, such as GoGrid, which reported last March that an unauthorized third party possibly had viewed its customers' account information, including payment card data.
According to GoGrid, the provider took immediate action, notifying federal law enforcement authorities. In a letter to customers, GoGrid stated that it believed the situation had been contained and that there was no indication that customers' personally identifiable information had been shared with unauthorized parties.
Online cloud storage provider Dropbox Inc. experienced a different outcome—a class action lawsuit brought by users in July 2011 for failure to secure their private data and immediately notify them about a recent data breach. Plaintiffs alleged that Dropbox did not encrypt the personal data it stored according to industry best practices, according to reports.
While reported data breaches involving cloud vendors have been limited, some recent closures of providers raise concerns over performance reliability. In some cases, the vendors have been vague about the cause of their demise.
Coghead, a popular “software as a service” cloud vendor closed shop in 2009, attributing its closure to economic reasons.
In addition, Mr. Heiser said Gartner had learned from several sources that SaaS-based contract management application provider Mumboe Inc. had told its customers in late October that “they had two weeks to pick up their data before the cloud was permanently grounded.” Mumboe could not be reached for a comment.
“We've been suggesting for quite some time that procurement organizations need to develop new skills, not only for the procurement of SaaS applications but also for the ongoing monitoring of provider viability,” Mr. Heiser said.