Abstract
Personal data breaches from organisations, enabling mass identity fraud, constitute an extreme risk. This risk worsens daily as an ever-growing amount of personal data are stored by organisations and on-line, and the attack surface surrounding this data becomes larger and harder to secure. Further, breached information is distributed and accumulates in the hands of cyber criminals, thus driving a cumulative erosion of privacy. Statistical modeling of breach data from 2000 through 2015 provides insights into this risk: A current maximum breach size of about 200 million is detected, and is expected to grow by fifty percent over the next five years. The breach sizes are found to be well modeled by an extremely heavy tailed truncated Pareto distribution, with tail exponent parameter decreasing linearly from 0.57 in 2007 to 0.37 in 2015. With this current model, given a breach contains above fifty thousand items, there is a ten percent probability of exceeding ten million. A size effect is unearthed where both the frequency and severity of breaches scale with organisation size like s 0.6. Projections indicate that the total amount of breached information is expected to double from two to four billion items within the next five years, eclipsing the population of users of the Internet. This massive and uncontrolled dissemination of personal identities raises fundamental concerns about privacy.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
V. Pisarenko, M.V. Rodkin, in Heavy-tailed distributions in disaster analysis (Springer Science & Business Media, 2010), Vol. 30
C. Kindleberger, Manias, Panics, and Crashes: A History of Financial Crises, Wiley Investment Classics, 4th edn. (Wiley, 2000)
D. Sornette, Why Stock Markets Crash (Critical Events in Complex Financial Systems) (Princeton University Press, 2003)
S. Wheatley, B. Sovacool, D. Sornette, Risk Analysis (submitted)
D. Sornette, T. Maillart, W. Kröger, Int. J. Disaster Risk Reduc. 6, 59 (2013)
E. Schlosser, Command and Control: Nuclear Weapons, the Damascus Accident, and the Illusion of Safety, reprint edition (Penguin Books, 2014)
N. Leveson, in MIT, Technical and Managerial Factors in the NASA Challenger and Columbia Losses: Looking Forward to the Future, published within Kleinman, Cloud-Hansen, Matta, and Handelsman, Controveries in Science and Technology (Mary Ann Liebert Press, 2008), Vol. 2
C. Perrow, Normal Accidents: Living with High-Risk Technologies, 2nd edn. (Princeton University Press, Princeton, 1999)
D. Chernov, D. Sornette, Man-made catastrophes and risk information concealment (25 case studies of major disasters and human fallibility) (Springer, 2015)
List of major cyber attacks (wikipedia), http://en.wikipedia.org/wiki/List˙of˙cyber-attacks (Accessed: 2015-04-10)
C. Coughlin, Stuxnet virus attack: Russia warns of ‘Iranian Chernobyl’, in The Telegraph (Jan 16, 2011)
D. Sanger, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power (Crown Publishing Group, 2012)
E. Harrell, L. Langton, Washington DC: Bureau of Justice Statistics, 2013, p. 26
Ponemon Institute, Cost of data breach study: United states, 2014
K. Campbell, L.A. Gordon, M.P. Loeb, L. Zhou, J. Comput. Security 11, 431 (2003)
A. Garg, J. Curtis, H. Halper, Inform. Manag. Comput. Security 11, 74 (2003)
A. Acquisti, A. Friedman, R. Telang, Is there a cost to privacy breaches? an event study, in ICIS 2006 Proceedings, 2006, p. 94
K.M. Gatzlaff, K.A. McCullough, Risk Manag. Insurance Rev. 13, 61 (2010)
McAfee, McAfee Unsecured Economies Report, 2008
T. Maillart, D. Sornette, Eur. Phys. J. B 75, 357 (2010)
Cyber risk the most serious threat to business, says lloyd’s chief, http://www.telegraph.co.uk/finance/11516277/Cyber-risk-the-most-serious-threat-to-business-says-Lloyds-chief.html (Accessed: 2015-09-01)
PwC 18th Annual Global CEO Survey, http://www.pwc.com/gx/en/ceo-agenda/ceo-survey.html (Accessed: 2015-09-01)
World Economic Forum: Global Risks 2015, http://www3.weforum.org/docs/WEF˙Global˙Risks˙2015˙Report15.pdf (Accessed: 2015-09-01)
The Cost of Cyber Crime, https://www.gov.uk/government/uploads/system/uploads/attachment˙data/file/60943/the-cost-of-cyber-crime-full-report.pdf (Accessed: 2015-09-01)
Allianz Risk Barometer: Top Business Risks 2015, http://www.agcs.allianz.com/assets/PDFs/Reports/Allianz-Risk-Barometer-2015˙EN.pdf (Accessed: 2015-09-01)
P. Embrechts, C. Klüppelberg, T. Mikosch, in Modelling extremal events: for insurance and finance (Springer, 1997), Vol. 33
P. Embrechts, S.I. Resnick, G. Samorodnitsky, North Am. Actuarial J. 3, 30 (1999)
D. Sornette, Critical phenomena in natural sciences: chaos, fractals, selforganization and disorder: concepts and tools (Springer Science & Business, 2006)
Open security foundation data loss database, http://datalossdb.org (Accessed: 2015-04-10)
Privacy rights clearing house, http://www.privacyrights.org/ (Accessed: 2015-04-10)
Verizon, 2014 Data Breach Investigations Report, 2014
C. Scholz, The Mechanics of Earthquakes and Faulting, 2nd edn. (Cambridge University Press, 2002)
K. Soramäki, M.L. Bech, J. Arnold, R.J. Glass, W.E. Beyeler, Physica A 379, 317 (2007)
M. Kacperczyk, P. Schnabl, J. Econ. Perspect. 24, 29 (2010)
P. Sieczka, D. Sornette, J. Holyst, Eur. Phys. J. B 82, 257 (2011)
D. Sornette, A. Johansen, Physica A 261, 581 (1998)
E. Ohlsson, B. Johansson, Non-life insurance pricing with generalized linear models (Springer Science and Business Media, 2010)
S. Coles, in An introduction to statistical modeling of exterme values (Springer, 2001), Vol. 208
M.A. Stephens, J. Am. Stat. Assoc. 69, 347 (1974)
R. Koenker, in Quantile regression (Cambridge university press, 2005), No. 38
J. Franklin, V. Paxson, A. Perrig, S. Savage, An inquiry into the nature and causes of the wealth of internet miscreants, in Proceedings of the 14th ACM conference on Computer and communications security CCS ’07 (ACM, New York, 2007), pp. 375−388
Markets for cybercrime tools and stolen data: Hackers bazaar, http://www.rand.org/content/dam/rand/pubs/research˙reports/RR600/RR610/RAND˙RR610.pdf (Accessed: 2015-01-01)
T. Mikosch, Non-Life Insurance Mathematics, 2nd edn. (Springer, 2006)
M. Wüthrich, Non-Life Insurance: Mathematics and Statistics, SSRN Manuscript 2319328, 2014
P. Simon, Too Big to Ignore: The Business Case for Big Data (John Wiley & Sons, 2013)
Company list (nasdaq, nyse, and amex), http://www.nasdaq.com/screening/company-list.aspx (Accessed: 2014-10-01)
H. Simon, C. Bonini, Am. Econ. Rev. 48, 607 (1958)
L.M.B. Cabral, J. Mata, Am. Econ. Rev. 93, 1075 (2003)
H. Gupta, Physica A 375, 643 (2007)
Y. Malevergne, V. Pisarenko, D. Sornette, Phys. Rev. E 83, 036111 (2011)
D. Sornette, R. Cont, J. Phys. I 7, 431 (1997)
D. Sornette, Phys. Rev. E 57, 4811 (1998)
D. Sornette, Physica A 250, 295 (1998)
A. Saichev, Y. Malevergne, D. Sornette, in Theory of Zipf’s law and beyond (Springer Science & Business Media, 2009), Vol. 632
L. Amaral, S. Buldyrev, S. Havlin, M. Salinger, H. Stanley, Phys. Rev. Lett. 80, 1385 (1998)
P. Cauwels, D. Sornette, J. Portfolio Manag. 38, 56 (2012)
G. Sinanaj, News media sentiment of data breaches, in Proceedings of the 20th Americas Conference on Information Systems (AMCIS), Savannah, 2014
Y.A. de Montjoye, L. Radaelli, V. Singh, A. Pentland, Science 347, 536 (2015)
A. Acquisti, R. Gross, Proc. Natl. Acad. Sci. 106, 10975 (2009)
D. Sornette, G. Ouillon, Eur. Phys. J. Special Topics 205, 1 (2012)
R.A. Tybout, Bell J. Econ. Manag. Sci. 3, 252 (1972)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wheatley, S., Maillart, T. & Sornette, D. The extreme risk of personal data breaches and the erosion of privacy. Eur. Phys. J. B 89, 7 (2016). https://doi.org/10.1140/epjb/e2015-60754-4
Received:
Revised:
Published:
DOI: https://doi.org/10.1140/epjb/e2015-60754-4