Monday, March 12, 2012

PCI and March Madness?

What would it look like if we had a March Madness tournament for colleges and universities, but instead of putting the ball through a hoop, we counted the size (number of breached records) of security breaches? The picture would not be pretty, and this is definitely one tournament where you do not want to have your school anywhere near the "final four."

The people at TeamSHATTER just put out a grid illustrating the largest data breaches at higher ed institutions in 2011, and they did it in a very interesting and entertaining (if that's possible) way. They put the schools into brackets and traced the "competition" all the way to the unfortunate winner. You can see their analysis here. As they turned "National Bracket Day" into "National Breach Day."

The unfortunate winner was Virginia Commonwealth University, followed by the University of Wisconsin-Milwaukee, Yale, and University of South Carolina.

What is missing is the larger picture: the number of reported data breaches is down sharply. Fewer breaches were reported (48 in 2011 vs. 57 in 2010), making it harder to fill in the brackets. But the really BIG news is that the number of compromised records fell by a whopping 70% to about 480,000 in 2011 as opposed to 1.7 million in 2010. That certainly is good news.

To be fair to this year's "winner," their breach of 177,000 records while significant, would not make the top 10 since 2005.

Does the decline in overall breaches mean higher ed IT and Treasury departments and PCI teams are doing a better job. I tend to think so. So if you don't see your school on the bracket, congratulate yourself, but don't get complacent. We are already seeing some sizable breaches by schools this year.

If you are interested in more history, you can checkout the figures for previous years also here at TeamSHATTER's site.