Data Breaches Occurred Frequently in 2024, Making Data Risk Assessment a Critical Approach

Data Has Become a Key Driver of Economic and Social Development, Yet Data Breach Risks Loom Large

In today’s world swept by the wave of digitalization, data has become a critical element driving economic and social development. However, with the explosive growth and widespread application of data, the risk of data breaches has become increasingly prominent. In recent years, data breach incidents have occurred frequently; halfway through 2024 alone, some of the largest-scale and most destructive data breaches in recent years have already taken place. While certain cyberattacks seem to have reached extreme levels, the situation continues to deteriorate further. The vulnerability of personal privacy, damage to corporate reputation, and even potential threats to national security all serve as stark warnings that data protection is an urgent priority.

Change Healthcare Breached: “Most Americans’” Medical Data Stolen

In 2024, Change Healthcare fell victim to a ransomware attack. Inadequate security measures led to the theft of a large amount of sensitive data, causing widespread impacts—including the shutdown of hospital operations. UnitedHealth Group paid a ransom to obtain a copy of the stolen data. CEO Andrew Witty revealed that information belonging to approximately one-third of Americans might have been leaked, and the full extent of the impact is still under assessment.

Synnovis Ransomware Attack Triggers Widespread Hospital Outages in London

In June 2024, Synnovis, a British pathology laboratory, was hit by a ransomware attack linked to Russian actors. This incident disrupted healthcare services in London for several weeks and delayed thousands of surgeries. Data of 300 million patients was stolen, with some of it leaked online. Synnovis refused to pay the $50 million ransom. The affected NHS trusts had long been failing to meet standards, prompting the government to launch an emergency response to address the potential large-scale data exposure.

Snowflake Hack Leads to Theft of 560 Million Records from Ticketmaster

The Snowflake cloud data platform suffered a cyberattack. The lack of mandatory multi-factor authentication resulted in data theft affecting 165 enterprises, including 560 million records from Ticketmaster. Advance Auto Parts and TEG were also impacted, with the total number of stolen records reaching hundreds of millions. Mandiant confirmed that data from multiple large organizations had been compromised, and it is expected that more enterprises will confirm involvement in this security incident.

Cyberattacks and Internal Threats: Inadequate Corporate Data Protection

In the first half of 2024, incidents involving the infringement of citizens’ personal information and the theft/leakage of data assets continued to rise globally, becoming the biggest risk to cyberspace security.

• Two Banks Fined: On January 5, the National Financial Regulatory Administration imposed fines of 4.3 million yuan and 4 million yuan on two banks respectively. The penalties were issued because the banks had multiple violations in information system management, disaster recovery construction, and cybersecurity, which increased the risk of data breaches.
• Biotech Company Data Breach: On January 8, a case released by the Cybersecurity Bureau of the Ministry of Public Security revealed that a biotechnology company failed to encrypt its test data, leading to a breach of data in its “gene exon data analysis system.” The leaked data, totaling 19.1 GB, contained a large amount of citizens’ information and technical data. The company was legally warned and fined 50,000 yuan.

China Prioritizes Data Security, with Risk Assessment Mechanisms Taking Shape

Faced with the frequent occurrence of data breach incidents, the national government has attached unprecedented importance to data security. China adheres to the principle of balancing data security and development—security is the prerequisite for development, and development provides the guarantee for security. To standardize data processing activities, prevent and mitigate data security risks, and effectively safeguard data security, the Data Security Law of the People’s Republic of China (hereinafter referred to as the Data Security Law) explicitly requires the establishment of a data security risk assessment mechanism.

Currently, China’s data security assessment system is being accelerated and built, featuring the simultaneous advancement of national top-level design and industry-specific exploration.

• National Standards: In May 2023, the Cybersecurity Standard Practice Guide—Implementation Guidelines for Cybersecurity Data Risk Assessment (hereinafter referred to as the Guidelines) was released. The national standard Information Security Technology—Data Security Risk Assessment Method, based on the Guidelines, is currently in the approval stage and awaiting official release.
• Industry Exploration: In December 2022, the Ministry of Industry and Information Technology (MIIT) issued the Measures for the Management of Data Security in the Field of Industry and Information Technology (Trial). The document clarifies that MIIT will guide and encourage qualified institutions to conduct industry-specific data security testing and certification in accordance with relevant standards; formulate an industry data security assessment management system and oversee assessment institutions; and develop industry data security assessment specifications to guide institutions in conducting data security risk assessments and cross-border security assessments. The China Communications Standards Association (CCSA) is also accelerating the research and formulation of industry standards such as data security risk assessment specifications for the industrial and telecommunications sectors. The National Financial Standardization Technical Committee has successively released standards including JR/T 0223-2021 Financial Data Security—Security Specifications for the Data Lifecycle and Financial Data Security—Data Security Assessment Specifications (Draft for Comments).

In summary, China has built a data security risk assessment system with the Data Security Law as the overarching legal basis.

The Urgency of Data Security Risk Assessment in the Big Data Era

In the era of big data, data has become the “new oil” driving economic growth. However, accompanying security risks such as data breaches, misuse, and tampering are like undercurrents, threatening the healthy development of society and the economy. All industries face increasingly severe data security challenges, making the implementation of efficient and accurate data security risk assessments particularly urgent and necessary. Such assessments are not only the cornerstone of compliance but also a key link in safeguarding national security and social stability.

Key Challenges in Data Security

1. Data Security Compliance ChallengesChina has basically established a cybersecurity and data security legal framework, with laws such as the Cybersecurity Law, Data Security Law, Personal Information Protection Law, and Cryptography Law as the core, supported by administrative regulations and departmental rules, supplemented by local regulations and rules, and guided by national standards. Data processing activities must comply with legal requirements; otherwise, entities may face legal sanctions and reputational damage.
2. Data Classification and Grading ChallengesData classification and grading are essential prerequisites for building a sound data element market. However, the development of basic systems lags behind, failing to effectively support data classification and grading work; traditional data classification tools have low accuracy and coverage in identifying sensitive data; and there is a severe shortage of professionals capable of classifying and grading massive amounts of data assets.
3. Data Flow Monitoring ChallengesBusinesses increasingly demand greater data mobility, which lengthens data flow paths and creates difficulties for monitoring.
4. Data Breach and Information Security Threat ChallengesIn the digital economy era, data breaches and information security threats are among the most significant challenges. Cyberattacks and hacking incidents occur frequently, exposing enterprises to risks such as theft, ransomware, and malware.

The Role of Data Security Risk Assessment

In the face of escalating data security threats, data security risk assessment is the foundational work for implementing data security measures and ensuring controllable data security risks. Assessment results also serve as an important basis for formulating data security governance strategies. Risk assessments not only help identify potential threats and proactively deploy defensive measures but also optimize data management processes and improve overall security posture. Through scientific risk assessments, enterprises can effectively reduce the probability of data security incidents, ensure business continuity and competitiveness, and safeguard the steady development of the digital economy.

How to Conduct Data Security Risk Assessment (Views from Daopu Information Experts)

Experts in data security risk assessment from Daopu Information stated that by leveraging professional third-party assessment services and risk assessment models based on data classification and grading, organizations can identify and assess risks throughout the entire data lifecycle (collection, transmission, storage, processing, exchange, and destruction) from 7 dimensions—policies and procedures, data and system assets, organizational and personnel management, service planning and management, data supply chain management, compliance management, and full-lifecycle data security management—and 4 perspectives—organizational development, institutional processes, technical tools, and personnel capabilities. After identifying data security risks, a risk response plan is formulated.

Key Stages of Data Security Risk Assessment

1. Assessment PreparationKey tasks include defining the assessment object, scope, and boundaries; forming an assessment team; clarifying assessment bases and criteria; developing an assessment plan; and obtaining management support.
2. Risk IdentificationThis stage involves identifying asset value, key elements of data processing activities, compliance requirements, threats, vulnerabilities, and existing security measures.
3. Risk AnalysisUsing appropriate methods and tools, organizations can determine compliance risks, the likelihood of data security incidents, and the impact of such incidents on the organization—thereby calculating the data security risk value.
4. Risk EvaluationAfter conducting risk analysis, organizations calculate risk values and classify risks into three levels: high, medium, and low. Based on the risk levels, the results of the risk assessment are finalized.

Conclusion

Currently, data breach incidents are becoming increasingly severe, and challenges in the field of data security are growing. To effectively address these risks, we must establish and improve data security risk assessment systems, and strengthen the supervision and protection of data security. Only in this way can we ensure that while data drives economic development, it does not become a “time bomb” threatening personal privacy and social stability. Let us work together to safeguard this “blue ocean” of data and protect the healthy development of the digital economy.