Apparent wave of cyber breaches is an illusion

A proliferation of hacktivists and frustration with cleanup costs are prompting agencies and companies to disclose breaches they would have kept under wraps in the past, Internet security researchers say.

While it may seem that cyber crooks are poking into databases more frequently based on increased media coverage, the fact is that government and corporate networks have been under constant assault for years, the researchers note.

"There are those that have been hacked and those that do not know they have been hacked -- there are really only two groups," said Dmitri Alperovitch, vice president of threat research for McAfee Labs, the research division of the computer security firm. "When we do an investigation, 99 percent of the time we're forced to sign a [nondisclosure agreement]" so word of the incident does not surface.

He attributes the recent rise in reports of network intrusions to publicity-seeking perpetrators that have become more organized during the past year.

Prankster hacker groups Anonymous and LulzSec -- lulz is Internet slang for laughs and sec stands for security -- have broadcast through Twitter and online message boards their exploits of systems belonging to Sony, PBS and the CIA.

At the same time, companies, including email marketing firm Epsilon and federal contractor RSA -- a network security provider -- are becoming fed up with paying heavily in the aftermath of hacks, some malicious software experts say. The expenses often include legal counsel, additional information technology support and lost revenue from fleeing customers.

"Before they used to treat it as a cost of doing business," said Bradley Anstis, vice president for technical strategy at threat-protection company M86. "Now people are feeling a newfound repugnance about what these groups are doing. Now these organizations are just so sick of being attacked."

The average cost of a data breach at a U.S. organization in 2010 was $7.2 million, according to a March study conducted by the Ponemon Institute, a privacy research firm.

"People aren't afraid to talk about it now," said Charles Dodd, a consultant on offensive cyber operations for the U.S. government. What companies and agencies have come to accept is that "I have 100 percent of the liability if the breach happens," so more of them are telling customers about cyber events.

But Alperovitch said the majority of agencies and companies still are not reporting breaches. "They don't want it out in the news," he said.

And studies show keeping breaches on the down-low may ultimately be less expensive.

The Ponemon analysis found that more and more attacked companies are rapidly alerting affected clients, within one month of detection -- and that such responses are significantly costing them. Those that took action quickly paid about $100 more per compromised data record than organizations that moved more slowly in detecting the issue, containing it and notifying victims.

Consumers and lawmakers, however, argue businesses aren't coming clean about penetrations fast enough.

Senators are crafting bills to create a national data breach standard that would mandate companies notify affected customers within a certain number of days. The White House also has weighed in with a legislative proposal to establish one national requirement for alerting people whose personal information has been accessed within 60 days of detection.