Kiteworks Releases 2024 Top 11 Data Breaches Report Using Risk Exposure Index to Reveal True Breach Impact - Middle East Business News and Information
Kiteworks, which empowers organisations to effectively manage risk in every send, share, receive, and save of sensitive data, today releases its 'Top 11 Data Breaches of 2024' report. The research applies Kiteworks' Risk Exposure Index (REI), a proprietary methodology introduced in summer 2024, to quantify and compare the severity of the year's most significant breach events.
The REI assessment reveals that raw numbers of records exposed, while important, tell only part of the story. By analysing factors including data sensitivity, financial impact, regulatory implications, and attack sophistication, the report provides a nuanced measurement of organizational and consumer risk far beyond traditional metrics.
'Our Risk Exposure Index assessment of these breaches demonstrates what traditional reporting often misses,' says Tim Freestone, Chief Marketing Officer at Kiteworks. 'When we look beyond headline figures, we see that data sensitivity outranks all other factors in determining breach severity, confirming that what was stolen matters more than how much was taken. This insight enables organisations to more effectively prioritize their security investments.'
Key Risk Exposure Index Findings
Supply Chain Impact Reaches Perfect Score: The Change Healthcare breach received a 10.0 Supply Chain Impact score, the highest possible rating, reflecting the catastrophic downstream effects on thousands of healthcare providers nationwide. By comparison, the National Public Data breach scored 8.5 for Supply Chain Impact, illustrating how our methodology quantifies ecosystem-wide risk.
Attack Vector Sophistication Varies Significantly: The report's analysis shows significant variation in Attack Vector Sophistication scores, ranging from 5.4 (DemandScience) to 8.4 (National Public Data). This variance highlights how some breaches exploit advanced persistent techniques while others leverage basic misconfigurations.
Risk Score Rankings Reveal True Impact: The National Public Data breach achieved the highest overall risk score (8.93) due to its unprecedented scale, while the Change Healthcare breach ranked second (8.7) despite affecting fewer records. Hot Topic (7.7), LoanDepot (7.6), and Kaiser Foundation Health Plan (7.6) demonstrate how breaches of varying sizes can pose similar risk levels when analyzed comprehensively.
Data Sensitivity Drives Risk: Multi-factor analysis across all breaches indicates that the three most influential factors in determining breach severity are:
Data Sensitivity (24% influence): The nature of compromised information proved the single most important factor in determining real-world impact, with financial and health data breaches creating the most significant individual harm.
Financial Impact (22% influence): The economic consequences for the breached organisation and affected individuals strongly influenced overall risk assessment, with ecosystem disruption creating particularly severe impacts.
Regulatory Compliance (18% influence): The regulatory environment significantly shaped breach outcomes, with highly regulated industries facing more substantial consequences and response requirements.
This correlation between data sensitivity and risk score (r=0.78) was particularly strong in healthcare and financial services breaches.
'What makes our Risk Exposure Index particularly valuable is its ability to quantify factors that typically defy measurement,' says Patrick Spencer, VP of Corporate Marketing and Research at Kiteworks. 'Our multi-factor analysis reveals that data sensitivity is the single most influential factor in determining breach severity, accounting for 24% of the overall risk impact. This indicates that what was stolen matters more than how much was taken. Organisations must prioritise protecting their most sensitive data throughout its life cycle, especially in an environment where third-party risk management remains the least mature security domain in 2024, creating systematic vulnerabilities that threat actors increasingly target.'
Rank
Data Breach
Supply Chain Impact
Attack Vector Sophistication
Risk Score
1
National Public Data
8.5
8.4
8.9
2
Change Healthcare
10.0
8.2
8.7
3
Ticketmaster Entertainment
6.8
8.2
8.7
4
AT&T
5.4
6.5
8.5
5
Hot Topic
8.2
7.8
7.7
6
LoanDepot
4.2
7.1
7.6
7
Kaiser Foundation Health Plan
7.8
6.9
7.6
8
DemandScience by Pure Incubation
6.9
5.4
7.1
9
Dell Technologies
5.9
7.4
7.2
10
MC2 Data
5.2
5.7
6.9
11
U.S. Environmental Protection Agency
4.2
6.8
6.2
Risk Exposure Score of Top 11 Data Breaches in 2024 The full 'Top 11 Data Breaches of 2024' report can be downloaded here.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Mid East Info
19-06-2025
- Mid East Info
Kiteworks Expands Market Reach While Reconfirming Commitment to Data Privacy With Zivver Acquisition - Middle East Business News and Information
Kiteworks, which empowers organisations to effectively manage risk in every send, share, receive, and use of private data, today announced the acquisition of Zivver, an innovative secure email platform headquartered in Amsterdam, the Netherlands. This strategic acquisition enhances Kiteworks' capabilities in secure communication while further expanding its European presence with the addition of Zivver's professional team and large customer base. Zivver uses machine learning and artificial intelligence to analyse sensitive email content in context to prevent human errors, the biggest cause of data leaks in email, and to accurately protect, control, and track the exchange of sensitive data using a zero-knowledge, zero-access encryption key architecture. This ensures that only the sender and intended recipients have access to the protected data, maintaining the highest levels of security and privacy. Expanding the Private Data Network The acquisition will result in the integration of Zivver's AI-enabled secure email capabilities into Kiteworks' Private Data Network that unifies and secures email, file sharing and collaboration, SFTP, managed file transfer (MFT), enterprise AI, and web forms into one platform. Kiteworks also includes Next-generation Digital Rights Management (Next-gen DRM) powered by SafeEDIT that provides organisations with a unified approach to monitoring, controlling, and protecting private data across multiple communication channels. This is Kiteworks' sixth acquisition in the past three and a half years and fifth in the past 18 months. 'Organisations require comprehensive solutions that protect private data shared and sent across all communication channels while maintaining seamless user experiences,' says Amit Toren, Chief Business Officer at Kiteworks. 'By bringing Zivver's innovative secure email technology into our Private Data Network, we're providing the combined customer base with enhanced capabilities to secure their most sensitive communications while meeting stringent compliance requirements. This acquisition reflects our focus on continuous innovation in secure data exchange, including AI-based data protection, coupled with the continued growth in our talented global team.' Benefits for Zivver Customers and Partners Zivver customers and partners will benefit significantly from this acquisition while experiencing no disruption to their existing services: Kiteworks' Private Data Network Platform: Customers gain access to additional secure communication capabilities within Kiteworks' comprehensive security and governance framework. Customers gain access to additional secure communication capabilities within Kiteworks' comprehensive security and governance framework. Enhanced Global Support: Customers electing to upgrade to the combined Kiteworks platform will have access to Kiteworks' robust 24/7 support operation, ensuring expert assistance is available worldwide at any time – from initial onboarding to ongoing business-critical operations. Customers electing to upgrade to the combined Kiteworks platform will have access to Kiteworks' robust 24/7 support operation, ensuring expert assistance is available worldwide at any time – from initial onboarding to ongoing business-critical operations. Long-term Innovation and Stability: Customers get continued product support without disruptions to service, backed by Kiteworks' profitable, well-funded organisation committed to the highest security and compliance standards. Customers get continued product support without disruptions to service, backed by Kiteworks' profitable, well-funded organisation committed to the highest security and compliance standards. Data Sovereignty: Zivver will remain hosted in the European Union with all data stored within EU borders, ensuring compliance with regional data protection regulations. 'We surveyed countless companies and solutions globally,' says Wouter Klinkhamer, CEO of Zivver. 'Our objective was to find a partner who shares our vision for zero-access security and meets Europe's stringent data sovereignty standards. Kiteworks not only mirrors our philosophy on encryption and zero-trust, but also offers on-premise and private cloud deployment options for controlling, monitoring, and protecting every data interaction between people, machines, and systems across user collaboration and automated workflows − all from one platform. We're particularly excited about the expanded product innovation and development and additional resources this acquisition brings to our customers and partners.' Key Capabilities of the Combined Solution The integration of Zivver into Kiteworks' Private Data Network will bring additional capabilities to organisations seeking to protect their sensitive communications. Specifically, Zivver automatically analyses email and attachment content with machine learning and AI based on scanning for sensitive data, behavioural analysis, erroneous email address detection/warning, and others, adjusting protection levels based on the detected sensitivity of the information being shared and its context. This 'right-sized security' approach means that enhanced security protocols (like encryption and additional authentication) are only triggered when sensitive data is detected. According to company policy, this ensures critical data remains protected without unnecessarily burdening users with extra security steps for non-sensitive communications. Zivver also integrates with major email platforms including M365, Outlook, and Gmail, providing a user-friendly experience for secure email communication and large file sharing without complicated workflows. Plus, there is no need for recipients to create accounts to Zivver, reducing friction in reading and replying to secure emails. Finally, Zivver's e-signature capabilities provide a secure, compliant solution for digital document signing. The platform integrates with Zivver's encrypted email system, allowing users to send documents for signature, track progress in real time, and store completed documents with verification. Compliant with eIDAS and ESIGN regulations, the user-friendly system offers customisable workflows and mobile-friendly signing options that don't require recipient accounts − balancing security with convenience for industries handling sensitive information. Continuity for Customers Zivver will continue to be sold and supported independently, with no disruptions in service for existing customers. Customers can continue renewing and upgrading their licenses as before, while benefiting from the additional resources and capabilities that come with being part of Kiteworks. Kiteworks' and Zivver's joint commitment enables organisations to meet various regulations such as GDPR, NIS 2, HIPAA, and DORA, with adaptable security measures and robust reporting for compliance monitoring. 'Working together, we can serve European customers with a truly holistic approach,' says Rick Goud, Chief Innovation Officer at Zivver. 'They'll have the freedom to selectively leverage the cloud for certain workloads while keeping their most sensitive communications fully on-premise if they choose. The combination of user-friendly data protection, encryption, and advanced monitoring of all outbound data flows provides the level of protection and peace of mind today's governments and enterprises desperately need.'
Mid East Info
16-06-2025
- Mid East Info
Kiteworks Survey Reveals Only 17% of Organizations Have Technical Controls for AI Data Security While Over One-Quarter Report High Private Data Exposure
Organizations rush to adopt AI but fail to have commensurate security and compliance controls in place Kiteworks, which empowers organizations to effectively manage risk in every send, share, receive, and use of private data, today released findings from its AI Data Security and Compliance Risk Survey of 461 cybersecurity, IT, risk management, and compliance professionals. The survey, which was conducted by Centiment, reveals critical implementation failures: Only 17% of organizations have technical controls that block access to public AI tools combined with DLP scanning, while 26% report over 30% of data employees ingest in public AI tools is private data. These findings emerge amid a documented surge in AI-related incidents. Stanford's 2025 AI Index Report records a 56.4% year-over-year increase in AI privacy incidents, reaching 233 incidents last year.[1] The Kiteworks survey exposes how organizations remain unprepared: 40% restrict AI tool usage through training and audits, 20% rely solely on warnings without monitoring, and 13% lack any specific policies for public AI tool usage—leaving the vast majority vulnerable to emerging threats. 'Our research reveals a fundamental disconnect between AI adoption and security implementation,' said Tim Freestone, Chief Marketing Officer at Kiteworks. 'When only 17% have technical blocking controls with DLP scanning, we're witnessing systemic governance failure. The fact that Google reports 44% of zero-day attacks target data exchange systems undermines the very systems organizations rely on for protection.' Industry Benchmarks Reveal Dangerous Overconfidence Gap The Kiteworks survey exposes a critical overconfidence crisis in AI governance readiness. While one-third of survey respondents claim they have comprehensive governance controls and tracking in place, this contrasts starkly with Gartner's finding that only 12% of organizations have dedicated AI governance structures, with 55% lacking any framework whatsoever.[2] This dramatic gap between perception and reality creates unprecedented risk exposure. Deloitte's research provides even more sobering context: Only 9% of organizations achieve 'Ready' level AI governance maturity, despite 23% claiming to be 'highly prepared'—a 14-point overconfidence gap.[3] This misalignment is particularly concerning given that 86% of organizations lack visibility into AI data flows, according to industry research.[4] The rush to adopt AI without proper controls is accelerating. A recent EY survey found 48% of technology companies are already deploying AI agents, with 92% planning to increase AI spending—a 10% jump from March 2024.[5] Yet this enthusiasm comes with what EY calls 'tremendous pressure' to demonstrate ROI, creating incentives to prioritize speed over security. 'The gap between self-reported capabilities and measured maturity represents a dangerous form of organizational blindness,' explained Patrick Spencer, VP of Corporate Marketing and Research at Kiteworks. 'When organizations claiming governance discover their tracking reveals significantly more risks than anticipated according to Deloitte, and when 91% have only basic or in-progress AI governance capabilities, this overconfidence multiplies risk exposure precisely when threats are escalating.' Legal Sector Exemplifies Implementation-Awareness Gap The Kiteworks survey found legal professionals report the highest concern about data leakage at 31%, yet implementation remains weak: 15% have no specific policies or controls regarding the use of public AI tools with company data, while 19% rely on unmonitored warnings. This implementation gap becomes more pronounced in privacy investment strategies. While 23% of all organizations maintain comprehensive privacy controls with regular audits before any AI system deployment, only 15% of legal firms have fallen into the trap of having no formal privacy controls while prioritizing rapid AI adoption—an 8-point improvement over the 23% average across all sectors yet still concerning given their fiduciary duties. The disconnect aligns with Thomson Reuters data showing only 41% of law firms have AI policies despite 95% expecting AI to become central within five years.[6] This gap between current readiness and future expectations in the legal sector—an industry built on precedent and risk mitigation—exemplifies the broader organizational tendency to defer critical security implementations while embracing transformative technologies. AI Security Gap: When Perception Meets Reality The survey's finding that only 17% have implemented technical controls that block access to public AI tools combined with DLP scanning becomes more concerning given the evolving threat landscape. Google's research reveals 44% of zero-day vulnerabilities target data exchange systems, with 60% of enterprise-targeted zero days exploiting security and networking tools—the very systems meant to protect sensitive data. Despite awareness of risks, the Kiteworks survey found organizations remain deeply divided on addressing vulnerabilities: 34% report using a balanced approach with data minimization and selective privacy-enhancing technologies 23% maintain comprehensive privacy controls with regular audits 10% have basic privacy policies but prioritize AI innovation 10% address privacy concerns reactively, focusing on compliance only when legally required 23% have no formal privacy controls and prioritize rapid AI adoption Based on the convergence of weak controls, limited visibility, and escalating threats, organizations must: Acknowledge Reality: Recognize that self-assessed governance may significantly overstate actual maturity based on industry benchmarks Deploy Verifiable Controls: Implement automated governance tracking and controls that can demonstrate compliance, not just claim it Prepare for Regulatory Scrutiny: Quantify exposure gaps and implement measurable improvements 'The data reveals organizations significantly overestimate their AI governance maturity,' concluded Freestone. 'With incidents surging, zero-day attacks targeting the security infrastructure itself, and the vast majority lacking real visibility or control, the window for implementing meaningful protections is rapidly closing.' [1] 'The 2025 AI Index Report,' Stanford University, 2025. [2] 'AI Governance Frameworks for Responsible AI,' Gartner, March 20, 2023. [3] 'New Deloitte survey finds expectations for Gen AI remain high, but many are feeling pressure to quickly realize value while managing risks,' Deloitte, January 15, 2024. [4] 'Flying blind: Only 14 percent of companies surveyed have a comprehensive overview of generative AI usage,' LeanIX, June 18, 2024. [5] 'EY survey reveals that technology companies are setting the pace of agentic AI – will others follow suit?' EY, May 14, 2025. [6] '2025 Generative AI in Professional Services Report,' Thomson Reuters, February 2025.
Mid East Info
21-05-2025
- Mid East Info
Kiteworks Survey Kiteworks Survey Finds Zero-Day Threats and Compliance Failures Are Forcing a Rethink of Vendor Selection
Kiteworks, which empowers organisations to effectively manage risk in every send, share, receive, and use of private data, today revealed compelling evidence for its market growth through findings from the Data Security and Compliance Buyer Behavior Survey. The study, conducted by Centiment, demonstrates why regulated industries are gravitating toward the company's Private Data Network as their solution of choice for mission-critical security and compliance challenges. Zero-Trust Data Exchange The Data Security and Compliance Buying Behavior Survey reveals that security is the dominant factor in vendor selection decisions. This focus on security comes at a critical time, as Google's 2024 Zero-Day Exploitation Analysis Report found that 44% of zero-day vulnerabilities targeted enterprise data exchange systems, such as Managed File Transfer (MFT) platforms. Kiteworks' Zero-Trust Data Exchange architecture directly addresses these vulnerabilities by ensuring that all data exchanges are authenticated, encrypted, and monitored – regardless of the communication channel or endpoint. Compliance Certifications: A Critical Decision Factor The survey clearly demonstrates that organisations are increasingly prioritising regulatory compliance capabilities when selecting vendors, with 31% of respondents identifying compliance as a decisive factor in their final vendor selection. This focus is driven by the need to navigate complex regulations like GDPR, HIPAA, CMMC 2.0, the EU Data Act, and the EU AI Act, effective September 2025. The importance of compliance is further highlighted by several key findings: 56% of respondents rate security certifications as 'extremely important' during the vendor discovery phase. More than half struggle to obtain adequate security information during vendor evaluations. 63% of respondents actively seek detailed security and compliance information before even engaging with potential vendors. Nearly one-quarter reject vendors over security concerns often tied to compliance failures. Kiteworks addresses these pain points with a robust compliance framework, including FedRAMP Moderate Authorized, FedRAMP High Ready, SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and IRAP validations, ensuring seamless adherence to global standards. Compliance and Emerging Threats Require Unified Solutions As threats continue to evolve, the need for unified compliance solutions becomes even more critical. This trend aligns with the Verizon 2025 Data Breach Investigations Report, which shows third-party breaches have doubled to 30%, particularly through attacks on legacy file sharing and transfer solutions. Kiteworks' own annual survey reinforces this concern, finding nearly 60% of organisations lack comprehensive governance tracking and controls for their third-party data exchanges. Meanwhile, vendor reputation and stability remain key factors, with nearly two-thirds of respondents prioritising these attributes during the vetting process, including 30% indicating vendor stability is a high priority. Integration Capabilities Enhance Value While security and compliance form the foundation of vendor selection, the survey reveals that practical implementation concerns also heavily influence buying decisions. Seamless integration capabilities prove critical for customer satisfaction and long-term success, with 42% of survey respondents identifying integration capabilities as a key value driver. The importance of this factor is further emphasised by the 39% of respondents who reported eliminating potential vendors from consideration specifically due to inadequate integration capabilities. Organisations considering Kiteworks benefit from its comprehensive integration capabilities: Enterprise Authentication & Security Integration: Seamless connectivity with LDAP/Active Directory, single sign-on solutions, SIEM platforms, Splunk, HSM, and other security tools for comprehensive identity management and threat detection Productivity Suite & Legacy System Support: Deep integration with Microsoft Office, Outlook, G Suite, SharePoint, internal file shares, and legacy systems to maintain user productivity while enforcing security controls Automation & Administration: No-code MFT automation capabilities and centralised management through a single administrative console, reducing complexity while maintaining regulatory compliance across the entire data communication ecosystem API Extensibility: Comprehensive REST API and SCIM support for custom integration development and automated workflows 'Customers demand solutions that deliver robust security and compliance without sacrificing usability or integration capabilities,' says Tim Freestone, Chief Marketing Officer at Kiteworks. 'The survey confirms what we hear directly from our customers in regulated industries – that organisations need a unified approach to private data security that addresses the full spectrum of security threats while simplifying compliance and seamlessly integrating with existing workflows. This is precisely why our Private Data Network continues to be the preferred choice for organisations that can't afford to compromise on data protection.'
