The Leaking Vault 2011 report from the Digital Forensics Association has gathered data from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.
This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 records per day/15,000 records per hour every single day for the past six years.
The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.
The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study.
- In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number
- 16% disclosed medical information
- 15% of the incidents disclosed Credit Card Numbers
Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report.
Here is a small sampling of the incidents from the study to put a personal face on the statistics:
Three servers from a well-known chain restaurant were charged with using skimming devices to make more than $117,000 in fraudulent charges to customer credit card accounts.
- A restaurant employee stole customer credit card information and used it to purchase $200,000 of Walmart gift cards.
- In the span of six months, nine employees of a telecommunications company inappropriately accessed confidential customer account information and used it to make cloned cell phones. Over $15 million of unauthorized phone calls resulted from this scheme.
- An executive turned himself into authorities after being accused of selling customer information to identity thieves in exchange for sports tickets and gift cards.
- The owner of a medical equipment business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.
- The owner of a farm equipment store pled guilty to federal charges, admitting she stole the identities of customers to obtain more than 80 loans worth $1.7 million.
There has been a rise in snooping and other inappropriate disclosure where the confidentiality of the data is breached, but the data may not have left the control of the organization; or the act was done with the approval of the organization, but found later to be an inappropriate breach of confidentiality. In a recent case, UCLA Medical Center agreed to pay $865,000 to settle instances where employees snooped on the medical records of celebrities being treated at the facility.
Another example is when the California Department of Health Care Services released confidential and identifying information about HIV positive MediCal recipients to a third party service provider. This was later deemed to be both illegal and unauthorized. To classify these types of cases, the new breach vector of Disclosure has been added to the study beginning with 2011.
The Laptop Vector
Laptops increasingly contain significant amounts of organizational data. They are frequently the sole computer employee’s use, and come with a hard drive that can contain very large datasets. It is not uncommon for companies to find out after a breach incident that the individual assigned the asset had spreadsheets, and even whole databases containing sensitive data. When a laptop is issued to an individual, it should be accompanied by a set of rules for the custodian of the device to follow. This should include direction for maintaining physical control offsite (i.e., not to leave it in a vehicle, etc.) and onsite (i.e., lock it to their work surface), as well as controls for when these rules either are insufficient to keep the asset safe, or when the individual does not follow them. Potential controls include encrypting the device, remote wiping capability, tracking/recovery software, etc. The organization has a responsibility to the data subjects to take appropriate steps to ensure their data will not be at risk of disclosure when the unexpected happens.
Of the 3,765 incidents in the study, 719 involved laptops being improperly disposed of, getting stolen, or being lost. In 96% of these incidents, the laptops were stolen. Overall, the laptop vector accounted for 45,500,147 records in the study.
- The largest quantity of laptops were stolen from the office of the organization suffering the loss. This illustrates the need for locking mechanisms for the laptops when unattended at work.
- The second largest number of laptops were stolen from inside a vehicle. This is the most preventable, and represents 191 incidents over 4 million records.
The Hacking Vector
The 2010 data increasingly showed the prevalence of skimmer use. Skimmers are credit card readers that are typically hand held or installed in ATMs and point of sale devices to read the credit card track data and steal it. This was most commonly seen in retail establishments, and especially in restaurants. Anywhere the credit card is taken away from the customer’s control; there is a higher risk that a skimmer might be used by the dishonest. However, this is not to say that the card data is safe when in the control of the customer. Another increasingly common incident is the skimmer installed inside the gas pump. In this case, there is either a skimmer on the outside of the pump (these are becoming very clever and difficult to spot), or there is a device inside the pump where the customer has no hope of detecting it, and it can be wirelessly unloaded by the criminals, posing minimal risk of being caught.
The Large Incidents (Involving over 1 Million Records)
Only 66 of 3765 incidents involved over 1 million records. However, those 2% of incidents made up 91% of the records disclosed over the study. The top vector for large incidents was the Hack vector, claiming 29% of the incidents. The Drive/Media vector took 22% of the incidents, with the Fraud – SE vector accounting for 17%.
|Breach Vectors of the Ten Largest Incidents (2005 – 2010)|
|Heartland Payment Systems||130,000,000||Hack|
|U.S. Dept. of Veterans Affairs||28,600,000||Laptop|
|H.M. Revenue and Customs||25,000,000||Drive/Media|
Criminal or malicious motivation in attacks makes for more expensive breaches. This is true both for the organizations who suffer them, and the people whose data is compromised. Between 2005 and 2010, in 396 cases were confirmed to have been used for criminal activity. This is a difficult metric to track; since the criminal activity associated with breach activity shows that the data is commonly sold and resold.
The crime where the perpetrator has a direct connection to the victim is most frequently where the arrest is reported with the event. To that end, the Fraud-SE category is represented by a much higher margin than some of the vectors that have generated these large scale data disclosures.
There were 558 incidents where CCN data was involved. They accounted for almost 330 million records. The median records disclosed was 1,000; and 45% of the incidents did not list how many records were disclosed. These records should fall under the Payment Card Industry’s Data Security Standard (PCI-DSS), and the organizations that have experienced these incidents will have to undergo further scrutiny to prove they are compliant with this standard.
The ID Theft Critical Data Elements
The Identity Theft critical data elements are those that, in combination with the Name and Address, facilitate the commission of identity theft and financial fraud—namely the SSN and date of birth. In TLV, we looked at the incidents with these three data items all lost in the same event. At the time of that study, there were only 262 incidents that contained all three items. In contrast, there are now a total of 1,084.
As you can see in the figure below, the Business sector shows a substantial increase. It has gone from 168 incidents in the prior study to 850. However, in only 13% of these cases where the combination of data puts the subject victim into the worst position possible, are these organizations confirmed to have offered credit monitoring. Now, there are a large number of unknowns in this area as well—in the majority of the cases, the reports simply do not say one way or the other whether this service is offered. This is a metric primarily gleaned from the original data breach notification letters obtained through either FOIA requests or from those government entities that are directly posting the original documents as part of the event report. For instance, in the Business sector, 38 cases are confirmed that the service definitely is not offered. In the remaining 701 records, the credit monitoring status is not provided.
Estimated Cost of Data Breaches/Year
|Year||Records Disclosed||Cost Per Record||Total Breach Records|
|*Cost figure from 2009.|
The full The Leaking Vault 2011 report can be found here.