Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

data breaches

Your Biggest Weakness Is Already on Your Payroll

Imperva IG

An Imperva Infographic

Advertisements

Are British Businesses over confident about the threat of data breaches?

Ilex International have launched their Breach Confidence Index. The Index is a benchmark survey created to monitor the level of confidence that British businesses have when it comes to security breaches. The Index shows high confidence levels

  • 24% of IT decision makers surveyed very confident
  • 59% fairly confident that their business is protected against a data security breach

The Breach Confidence Index raises major concerns for British businesses. Businesses are not currently required to report security breaches and in many cases, may not even know that they have experienced one. The survey found that 49% said their business has not experienced a security breach. In comparison to actual statistics shared at the 2015 Cyber Symposium, there is a major gap between the perception and reality of security breaches among businesses.

According to the survey the most common weaknesses resulting in a Data Breach were
22% MALWARE VULNERABILITIES
21% EMAIL SECURITY
15% EMPLOYEE EDUCATION
12% CLOUD APPLICATIONS
12% INSIDER THREATS
8% ACCESS CONTROL
8% BYOD OR MOBILE ACCESS
6% NON-COMPLIANCE TO CURRENT REGULATIONS

Weaknesses relating to identity and access management considerably increase as organisations expand their workforce. Some of the most common issues highlighted by large businesses include:

  • 44% insider threats
  • 42% employee education
  • 26% access control
  • 24% BYOD or mobile access

All figures in the Ilex International Breach Confidence Index, unless otherwise stated, are from YouGov Plc. Total sample size was 530 IT Decision Makers. Fieldwork was undertaken between 6th – 12th August 2015. The survey was carried out online.

Data Breaches: Are You Prepared?

Data privacy and security continues to be a growing concern for many organizations. With cyber attacks increasing each year, businesses must be mindful of how data breaches occur in order to prevent the exposure of confidential information. Recognizing vulnerabilities in data security efforts can help minimize the effects a cyber attack may have on an organization.

Thomson Reuters data-breaches

Original produced here by Thomson Reuters.

UK Businesses unprepared for changes to the Data Protection Act

Crown Records Management survey of IT decision makers reveals companies are woefully unprepared for EU General Data Protection Regulation.

European politicians met on the 24th June 2015 in a bid to ratify huge changes in data protection regulation, but a survey has revealed UK businesses are woefully unprepared.

The EU General Data Protection Regulation aims to unify data protection across Europe with a single law and will be fine-tuned in Brussels at a ‘trilogue’ meeting of the EU Commission, European Parliament and the Council of the EU.

Once passed, it will bring with it huge fines (up to 100m Euros or 2% of global turnover) for companies that breach the regulation – as well as a raft of new rules about collecting, editing and processing the personal data of European citizens. Many companies will also be compelled to employ at Data Protection Officer for the first time.

Experts predict it will affect every single company that operates from within the EU, does business with companies inside the EU, stores its data in EU member countries or handles the personal data of European citizens.

A Crown Records Management Censuswide survey of IT decision makers at UK companies with more than 200 employees revealed businesses here are painfully unprepared – and one in five hasn’t even heard of the Regulation.

Results include:

  • 19.6% are totally unware of the changes
  • 29.4% of decision makers aged 55+ know nothing about the challenges ahead
  • 25.3% will wait for the final details of the Regulation before taking any action at all
  • 52% who know about the Regulation still aren’t currently reviewing policies
  • 42.5% of decision makers in companies with a turnover of more than £500m are ‘not really concerned’ or ‘not concerned at all’ about the impact of the new structure.
  • 63% have not yet appointed a Data Protection Officer, which will soon become compulsory for many companies
  • 59% have no plans in place to train staff despite the changes looming

Reproduced from Crown Records Management.

Read my 2012 review of the Proposed European Data Protection Act here 

Who breached the Data Protection Act in 2014 (UK)? Find the complete list here.

Who breached the Data Protection Act in 2013(UK)? Find the complete list here.

Who breached the Data Protection Act in 2012(UK)? Find the complete list here.

5 steps to respond to a security breach

Is your organisation equipped to deal with potential financial and reputational damage following an attack? 

Has your organisation established an incident management plan that covers data breaches? Recent evidence shows that organisations are ill-equipped to deal with an attack.

Australian bulk deals website, Catch of the Day, suffered a security breach in 2011, with passwords and other user information stolen from the company’s databases. It took until 2014 to notify customers, suggesting there was no response plan in place.

The backlash was very severe for global retail giant, Target, which fell victim to the second largest credit card heist in history. Many customers were outraged about the retailer’s inability to provide information after the breach, and its failure to assure customers that the issue was resolved.

Consequences included settlement payouts of up to $10 million and the resignations of its CIO and CEO.

Organisations should have established and tested incident management plans to respond to data security breaches sooner rather than later. A solid response plan and adherence to these steps can spare much unnecessary business and associated reputational harm.

Here’s a five step plan to ensure you give your organisation the best chance of minimising financial and reputational damage following an attack. 

Step 1: Don’t panic, assemble a taskforce

Clear thinking and swift action is required to mitigate the damage. There is no time for blame-shifting. You need a clear, pre-determined response protocol in place to help people focus in what can be a high pressure situation and your incident management plan should follow this protocol.

Having the right team on the job is critical. Bear these factors in mind when assembling your team: Appoint one leader who will have overall responsibility for responding to the breach. Obvious choices are your CIO or chief risk officer. This leader should have a direct reporting line into top level management so decisions can be made quickly.

Include representatives from all relevant areas, including IT, to trace and deal with any technical flaws that led to the breach; and corporate affairs, in case liaison with authorities is required, to manage media and customer communications.

Don’t forget privacy (you do have a chief privacy officer, don’t you?) and legal, to deal with regulators and advise on potential exposure to liability).

If you anticipate that litigation could result from the breach, then it may be appropriate for the detailed internal investigation of the breach to be managed by the legal team. If your organisation doesn’t have these capabilities, seek assistance from third parties at an early stage.

Step 2: Containment

The taskforce should first identify the cause of the breach and ensure that it is contained. Steps may include:

  • Installing patches to resolve viruses and technology flaws. The ‘Heartbleed’ security bug identified in April 2014 at one time compromised 17 per cent of internet servers. Although a security patch was made available almost immediately once it was discovered, some administrators were slow to react, leaving servers exposed for longer than necessary.
  • Resetting passwords for user accounts that may have been compromised and advising users to change other accounts on which they use the same password.
  • Disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and blocking the accounts of users that may have been involved in wrongdoing.
  • Taking steps to recall or delete information such as recalling emails, asking unintended recipients to destroy copies or disabling links that have been mistakenly posted. Take care to ensure that steps taken to contain the breach don’t inadvertently compromise the integrity of any investigation.

Step 3: Assess the extent and severity of the breach

The results will dictate the subsequent steps of your response. A thorough assessment involves:

  • Identifying who and what has been affected. If it’s not possible to tell exactly what data has been compromised, it may be wise to take a conservative approach to estimation.
  • Assessing how the data could be used against the victims. If the data contains information that could be used for identity theft or other criminal activity (such as names, dates of birth and credit card numbers) or that could be sensitive (such as medical records), the breach should be treated as more severe. If the data has been encrypted or anonymised, there is a lower risk of harm.
  • Considering the context of the breach. If there has been a deliberate hacking, rather than an inadvertent breach of security, then the consequences for the relevant individuals or organisations could be much more significant. This should inform how you respond to the breach.

Step 4: Notification

For serious data security breaches, proactive notification is generally the right strategy. A mandatory notification scheme has been proposed in Australia, with the government promising implementation by the end of 2015.

In any case, there are good reasons to consider voluntary notifications, which include:

  • Victims may be able to protect themselves, for example by changing passwords, cancelling credit cards and monitoring bank statements.

E-Bay was roundly criticised in 2014 for not acting quickly enough to notify users affected by a hacking attack, and only doing so by means of a website notice rather than by sending individual messages. Notices should be practical, suggesting steps that recipients can take to protect themselves.

  • The Privacy Commissioner may also be involved, particularly if personal information has been stolen. The Commissioner may take a more lenient approach to organisations that proactively address problems when they arise.
  • Other third parties may also need to be notified. For example, if financial information is compromised, you might notify relevant financial institutions so that they can watch for suspicious transactions.

Step 5: Action to prevent future breaches

Having addressed the immediate threat, prevention is the final step. While customers may understand an isolated failure, they are typically less forgiving of repeated mistakes. Carry out a thorough post-breach audit to determine whether your security practices can be improved.

This could include:

  • Engaging a data security consultant, which will give you a fresh perspective on your existing practices, and help to reassure customers and others that you do business with.
  • Promptly remedying any identified security flaws – changes should be reflected in data security policies and training documents (and if such documents don’t exist, create them.)
  • Rolling out training to relevant personnel to ensure that everyone is up to speed on the latest practices.
  • Reviewing arrangements with service providers to ensure that they are subject to appropriate data security obligations (and, if not already the case, make data security compliance a key criterion applied in the procurement process).

Written by Cheng Lim is a partner at global law firm King & Wood Mallesons. Cheng leads KWM’s Cyber-Resilience initiative and has assisted clients over many years in dealing with privacy, data security and data breaches. Originally produced for CIO Australia.

The majority Of Risk Professionals Without Coverage Are Considering Purchasing Cyber Insurance

RIMS, the risk management society ™ has conducted its first Cyber Survey 2015 to explore strategies implemented by risk professionals including insurance investments, exposures, cyber security ownership, government involvement, as well as identification methods and response procedures.

Responses came in from 284 of RIMS U.S. professional members in various industries, with 58% of respondents coming from organizations that produce more than $1 billion in annual revenue.

RIMS said it conducted the survey, in part, to identify methods and response procedures used by its members. As well, the organization wanted uncover strategies in place addressing areas such as insurance investments, exposures, cyber security in order to uncover strategies used by its members against cyber threats, including insurance investments, exposures, cyber security ownership and government involvement.

RIMS President Rick Roberts said that the new information is intended to give “the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern”

Key survey findings:

  • 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.
  • The top three first party exposures reported are:
    1. 79% reputational harm
    2. 78% business interruption
    3. 73% data breach response and notification
  • 51% said their companies or organizations purchase standalone cyber insurance policies.
  • 58 percent of those with cyber insurance policies carry under $20 million in cyber coverage, and just under half of those said they pay more than $100,000 in premium.
  • 74% of respondents who said their companies lack cyber coverage are considering getting it within the next 12-24 months.

Most Healthcare Organisations Have Experienced A Data Breach

The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data reveals that the majority of healthcare organizations represented in this study have experienced multiple security incidents and nearly all have faced a data breach. Despite the universal risk for data breach, the study found that many organizations lack the funds and resources to protect patient data and are unprepared to meet the changing cyber threat environment.

The 2015 study was expanded beyond healthcare organizations to include Business Associates.

Represented in this study are 90 covered entities (hereafter referred to as healthcare organizations) and 88 business associates (hereafter may be referred to as either business associates or BAs). A BA is a person or entity that performs services for a covered entity that involves the use or disclosure of protected health information (PHI), according to the U.S.

Department of Health & Human Services. The inclusion of BAs provides a broader perspective of the healthcare industry as a whole and demonstrates the impact third parties have on the privacy and security of patient data. Respondents were surveyed about their privacy and security practices and experiences with data breaches, as well as their experiences with both electronic and paper security incidents.

Data breaches in healthcare continue to put patient data at risk and are costly. Based on the results of this study, they estimate that data breaches could be costing the industry $6 billion.

  • 90% of healthcare organizations represented in this study had a data breach
  • 40% had more than five data breaches over the past two years

According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million. No healthcare organization, regardless of size, is immune from data breach. The average cost of a data breach to BAs represented in this research is more than $1 million. Despite this, half of all organizations have little or no confidence in their ability to detect all patient data loss or theft.

For the first time, criminal attacks are the number one cause of data breaches in healthcare. Criminal attacks on healthcare organizations are up 125% compared to five years ago. In fact, 45% of healthcare organizations say the root cause of the data breach was a criminal attack and 12 % say it was due to a malicious insider. In the case of BAs, 39% say a criminal attacker caused the breach and 10% say it was due to a malicious insider.

The percentage of criminal-based security incidents is even higher; for instance, web-borne malware attacks caused security incidents for 78% of healthcare organizations and 82% for BAs. Despite the changing threat environment, however, organizations are not changing their behaviour, only 40% of healthcare organizations and 35% of BAs are concerned about cyber attackers.

Security incidents are part of everyday business. 65% of healthcare organizations and 87% of BAs report their organizations experienced electronic information-based security incidents over the past two years.

  • 54% of healthcare organizations suffered paper-based security incidents
  • 41% of BAs had such an incident

However, many organizations do not have the budget and resources to protect both electronic and paper-based patient information. For instance, 56 % of healthcare organizations and 59% of BAs don’t believe their incident response process has adequate funding and resources. In addition, the majority of both types of organizations fail to perform a risk assessment for security incidents, despite the federal mandate to do so.

Even though medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014, the harms to individuals affected by a breach are not being addressed. Many medical identity theft victims report they have spent an average of $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records.

Nearly two-thirds of both healthcare organizations and BAs do not offer any protection services for patients whose information has been breached.

Since 2010, this study has tracked privacy and security trends of patient data at healthcare organizations. Although the annual economic impact of a data breach has remained consistent over the past five years, the most-often reported root cause of a data breach is shifting from lost or stolen computing devices to criminal attacks. At the same time, employee negligence remains a top concern when it comes to exposing patient data. Even though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape.

Key Findings

In this section, they provide a deeper analysis of the findings. They have organized this report according to the two following topics:

  • Privacy and security of patient data in healthcare organizations and business associates
  • Five-year trends in privacy and security practices in healthcare organizations

To respond quickly to data breaches, organizations need to invest more in technologies.

  • 58 % of healthcare organizations agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft.
  • 49% agree they have sufficient technologies
  • 33% agree they have sufficient resources to prevent or quickly detect a data breach.
  • 53% of organizations have personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.

Background

  • Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
  • A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information. A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines.
  • This is based on multiplying $1,067,400 (50% of the average two year cost of a data breach experienced by the 90 healthcare organizations in this research) x 5,686 (the total number of registered US hospitals per the AHA).

Two thirds of British workers willing to breach data protection rules

Despite the risk to their employer of criminal proceedings and heavy fines, two thirds (66%) of UK workers would not report a serious data protection breach if they thought it would get one of their  colleagues into trouble, according to recent research.

The study by telecoms and IT firm Daisy Group, which looked at data security risks, found that 13% UK workers had disabled the password protection features on work laptops, mobiles, or tablet devices because they found them annoying. Of those who did have password protection, 36% said they didn’t change their passwords regularly, and 17% admitted their password was very simple and would be easy to guess.

Data security breaches 

However, if asked by a third party to email a client or supplier’s personal details outside of the company,  56% said they wouldn’t and 19% said they would check with their boss before doing so. Although 7% said that they would send the details without querying the request, as they didn’t think anyone would mind.

When asked if data security was an important issue for the company they worked for, 19% said they had no idea.

Cloud specialist, Graham Harris, explained: When it comes to data security, all too often businesses focus purely on IT processes and forget about the staff that will be using them.

As our research identified, human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force. Businesses must be proactive and educate their staff about what data security processes and policies there are, why they exist, what the staff member’s responsibilities are and reassure them about what to do in the event of a problem

confidential

Estate agents and those working in the property industry were among the most likely to turn a blind eye to colleagues’ data security failings, with 71% saying they wouldn’t report a data security breach that would get a colleague into trouble. Those working in marketing were the most likely to raise the alarm.

Despite the potential risk of commercially-sensitive data theft, business management and professional services workers were the most likely to disable data security features on their mobile devices.

Mobile Device Management 

The research was conducted to assess the demand among UK businesses for ‘mobile device management’. The new cloud-based technology gives organisations more control over smartphones and tablet computers by letting them remotely track and wipe the content of any lost or stolen devices, thereby ensuring the information remains confidential.

According to one statistic, 180,000 computing and communication devices were lost or stolen in the UK last year, but it is likely that the true figure is much higher as not all thefts are reported to the police.

Graham Harris explained: “It is important to ‘common sense’ test any security system. Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands. Similarly, it is important to plan for human error and problems, such as theft or loss of devices that carry important data, so that when they do occur, they can be dealt with quickly and effectively.”

The EU is currently in the process of reforming laws on Data Protection which, among other things, will require organisations to report data protection breaches to the relevant authorities within 24 hours. It is anticipated that the penalties for failure to comply will increase to as much as €100m. The legislation changes are expected to be in force by the end of 2018.

The Evolution of Cyber Risk – and ACE Infographic

Evolution of Cyberrisk 1evolution of cyberrisk 2

infograph-path-cyberattacker

What Is Your Business’ Greatest Cyber Threat?

WHAT-I~1

Cloud Security: What Higher Education Needs to Know

Cloud Security: What Higher Education Needs to Know
Cloud Security: What Higher Education Needs to Know
by Ellucian

29% of Consumers Don’t Trust Retailers With Securing Their Data

Global Consumers: Concerned and Willing to Engage in the Battle Against Fraud,” is the second in a two-part series conducted by ACI Worldwide and Aite Group. Among other findings, only slightly more than 50% of consumers feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches

  • 29% do not trust retailers (e.g., stores, online shopping sites, restaurants, etc.) to protect stored personal and financial data against hacking attempts and data breaches.    
  • 58% think financial institutions (large multinational institutions, community banks and credit unions) do a better job of protecting their data than do retailers, or for that matter, government agencies and law enforcement.  
  • Only 55% feel stores where they shop use security systems that adequately protect their financial data against hackers and data breaches, compared to 62% who believe that online shopping websites adequately protect this information.  

Mobile Customer Engagement

  • 77% are “very interested” in being contacted about suspicious activity on their cards or accounts via a phone call, email or text message.  
  • 73% prefer that their banks not post transactions to their cards until they respond to fraud alerts. 

Consumer Awareness

  • 42% do not recall receiving any anti-fraud information from their financial institution.
  • 32% think theft by a computer hacker is the greatest fraud risk. 

Prepaid Card Implications

  • In many countries, prepaid card usage and the rate of fraud on such cards correlates. China and India have the highest rates of prepaid card fraud at 17% and 18%, respectively, and very high consumer use rates at 93% and 91%, respectively. 
  • Conversely, in countries with use rates of 70% or less, such as Australia, Canada, New Zealand and the United States, fraud rates are 4% or less, indicating that the fraud rate may rise as more consumers use prepaid cards.  

Consumer distrust is exacerbated by the widely publicized retail data breaches over the past year,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.

Retailers have their work cut out for them – to change consumer perception that shopping, be it online or in-store, is unsafe,” Mike Braatz, senior vice president, Payments Risk Management Solutions, ACI Worldwide.

Consumers want to engage in the battle against fraud. Financial institutions must take a proactive role in not only engaging customers in fraud-alerting activities, but educating them on preventative measures to take to most effectively combat it,” Shirley Inscoe, analyst, Aite Group. 

Communication is key when it comes to financial institutions making customers aware of the tools available to fight fraud. This can have a big impact in customer satisfaction and loyalty,” Shirley Inscoe, senior analyst, Aite Group. 

110 million Americans hacked in the last 12 months

In a CNNMoney commissioned study Ponemon Institute researchers found:;-

  • 110 million Americans — roughly half of the nation’s adults — in the last 12 months alone.
  • 432 million accounts were hacked accounts

It’s becoming more acute,” said Ponemon Institute head Larry Ponemon. “If you’re not a data breach victim, you’re not paying attention

The CNNMoney article points to recent examples of large hack attacks:-

  • 70 million Target customers’ personal information, plus 40 million credit and debit cards
  • 33 million Adobe user credentials, plus 3.2 million stolen credit and debit cards
  • 4.6 million Snapchat users’ account data 3 million payment cards used at Michaels
  • 1.1 million cards from Neiman Marcus “A significant number” of AOL’s
  • 120 million account holders
  • Potentially all of eBay’s 148 million customers’ credentials 

Full article here.

Cost of business cyber security breaches almost double

Information security breaches affecting UK business have decreased over the last year but the cost of individual breaches has almost doubled. 

The number of information security breaches affecting UK businesses has decreased over the last year but the scale and cost of individual breaches has almost doubled. 

The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and carried out by PwC, found

  • 81% of large organisations suffered a security breach, down from 86% a year ago
  • 60% of small businesses reported a breach, down from 64% in 2013

Although organisations are experiencing fewer breaches overall, the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.

The majority of businesses have increased IT security investment over the last year

Universities and Science Minister David Willetts said:

These results show that British companies are still under cyber attack. Increasingly those that can manage cyber security risks have a clear competitive advantage. Through the National Cyber Security Programme, the government is working with partners in business, academia and the education and skills sectors to equip the UK with the professional and technical skills we need for long-term economic growth.”

Andrew Miller, cyber security director at PwC, said:

Whilst the number of breaches affecting UK business has fallen slightly over the past year the number remains high and in many companies more needs to be done to drive true management of security risks. Breaches are becoming more sophisticated and their impact more damaging. Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis. As the average cost of an organisation’s worst breach has increased this year, businesses must make sure that the way they are spending their money in the control of cyber threats is effective. Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.”

70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in on going awareness training results in fewer breaches.

The survey also found that there has been an increase in the number of businesses which are confident that they have the skills required within their organisations to detect, prevent and manage information security breaches, up to 59% from 53% last year.

Ensuring that we have the cyber skills capability to meet the evolving needs of businesses is a key objective of the UK’s National Cyber Security Strategy. Earlier this year (2014), the government unveiled a raft of new proposals to meet the increasing demand for cyber security skills. These include a new higher-level apprenticeship, special learning materials for 11 to 14 year-olds and plans to train teachers to teach cyber security.

Earlier this year (2014) the government launched a new scheme to help businesses stay safe online. Cyber Essentials provides clarity to organisations on what good cyber security practice is and sets out the steps they need to follow, to manage cyber risks. From this summer (2014) organisations that have complied with the best practice recommendations will be able to apply to be awarded the Cyber Essentials Standard. This will demonstrate to potential customers that businesses have achieved a certain level of cyber security and take it seriously.

The press release can be found here

Six Years of Data Breaches including the TOP 10 largest Breaches

Vault IV
Image by jaygoldman via Flickr

The Leaking Vault 2011 report from the Digital Forensics Association has gathered data from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.

This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 records per day/15,000 records per hour every single day for the past six years.

The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.

The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study.

  • In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number
  • 16% disclosed medical information
  • 15% of the incidents disclosed Credit Card Numbers

Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report.

Here is a small sampling of the incidents from the study to put a personal face on the statistics:

Three servers from a well-known chain restaurant were charged with using skimming devices to make more than $117,000 in fraudulent charges to customer credit card accounts.

  • A restaurant employee stole customer credit card information and used it to purchase $200,000 of Walmart gift cards.
  • In the span of six months, nine employees of a telecommunications company inappropriately accessed confidential customer account information and used it to make cloned cell phones. Over $15 million of unauthorized phone calls resulted from this scheme.
  • An executive turned himself into authorities after being accused of selling customer information to identity thieves in exchange for sports tickets and gift cards.
  • The owner of a medical equipment business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.
  • The owner of a farm equipment store pled guilty to federal charges, admitting she stole the identities of customers to obtain more than 80 loans worth $1.7 million.

Breach  Vectors

There has been a rise in snooping and other inappropriate disclosure where the confidentiality of the data is breached, but the data may not have left the control of the organization; or the act was done with the approval of the organization, but found later to be an inappropriate breach of confidentiality. In a recent case, UCLA Medical Center agreed to pay $865,000 to settle instances where employees snooped on the medical records of celebrities being treated at the facility.

Another example is when the California Department of Health Care Services released confidential and identifying information about HIV positive MediCal recipients to a third party service provider. This was later deemed to be both illegal and unauthorized. To classify these types of cases, the new breach vector of Disclosure has been added to the study beginning with 2011.

The Laptop Vector

Laptops increasingly contain significant amounts of organizational data. They are frequently the sole computer employee’s use, and come with a hard drive that can contain very large datasets. It is not uncommon for companies to find out after a breach incident that the individual assigned the asset had spreadsheets, and even whole databases containing sensitive data. When a laptop is issued to an individual, it should be accompanied by a set of rules for the custodian of the device to follow. This should include direction for maintaining physical control offsite (i.e., not to leave it in a vehicle, etc.) and onsite (i.e., lock it to their work surface), as well as controls for when these rules either are insufficient to keep the asset safe, or when the individual does not follow them. Potential controls include encrypting the device, remote wiping capability, tracking/recovery software, etc. The organization has a responsibility to the data subjects to take appropriate steps to ensure their data will not be at risk of disclosure when the unexpected happens.

Of the 3,765 incidents in the study, 719 involved laptops being improperly disposed of, getting stolen, or being lost. In 96% of these incidents, the laptops were stolen. Overall, the laptop vector accounted for 45,500,147 records in the study.

  • The largest quantity of laptops were stolen from the office of the organization suffering the loss. This illustrates the need for locking mechanisms for the laptops when unattended at work.
  • The second largest number of laptops were stolen from inside a vehicle. This is the most preventable, and represents 191 incidents over 4 million records.

The Hacking Vector

The 2010 data increasingly showed the prevalence of skimmer use. Skimmers are credit card readers that are typically hand held or installed in ATMs and point of sale devices to read the credit card track data and steal it. This was most commonly seen in retail establishments, and especially in restaurants. Anywhere the credit card is taken away from the customer’s control; there is a higher risk that a skimmer might be used by the dishonest. However, this is not to say that the card data is safe when in the control of the customer. Another increasingly common incident is the skimmer installed inside the gas pump. In this case, there is either a skimmer on the outside of the pump (these are becoming very clever and difficult to spot), or there is a device inside the pump where the customer has no hope of detecting it, and it can be wirelessly unloaded by the criminals, posing minimal risk of being caught.

The Large Incidents (Involving over 1 Million Records)

Only 66 of 3765 incidents involved over 1 million records. However, those 2% of incidents made up 91% of the records disclosed over the study. The top vector for large incidents was the Hack vector, claiming 29% of the incidents. The Drive/Media vector took 22% of the incidents, with the Fraud – SE vector accounting for 17%.

Breach Vectors of the Ten Largest Incidents   (2005 – 2010)
Organization Record Vector
Heartland Payment Systems 130,000,000 Hack
TJX Companies 94,000,000 Hack
Facebook 80,000,000 Web
National Archives 76,000,000 Drive/Media
Card Systems 40,000,000 Hack
RockYou, Inc. 32,000,000 Hack
U.S. Dept. of Veterans Affairs 28,600,000 Laptop
H.M. Revenue and Customs 25,000,000 Drive/Media
iBill 17,781,462 Fraud-SE
TMobile 17,000,000 Drive/Media

Criminal Use

Criminal or malicious motivation in attacks makes for more expensive breaches. This is true both for the organizations who suffer them, and the people whose data is compromised. Between 2005 and 2010, in 396 cases were confirmed to have been used for criminal activity. This is a difficult metric to track; since the criminal activity associated with breach activity shows that the data is commonly sold and resold.

The crime where the perpetrator has a direct connection to the victim is most frequently where the arrest is reported with the event. To that end, the Fraud-SE category is represented by a much higher margin than some of the vectors that have generated these large scale data disclosures.

Credit Cards

There were 558 incidents where CCN data was involved. They accounted for almost 330 million records. The median records disclosed was 1,000; and 45% of the incidents did not list how many records were disclosed. These records should fall under the Payment Card Industry’s Data Security Standard (PCI-DSS), and the organizations that have experienced these incidents will have to undergo further scrutiny to prove they are compliant with this standard.

The ID Theft Critical Data Elements

The Identity Theft critical data elements are those that, in combination with the Name and Address, facilitate the commission of identity theft and financial fraud—namely the SSN and date of birth. In TLV, we looked at the incidents with these three data items all lost in the same event. At the time of that study, there were only 262 incidents that contained all three items. In contrast, there are now a total of 1,084.

As you can see in the figure below, the Business sector shows a substantial increase. It has gone from 168 incidents in the prior study to 850. However, in only 13% of these cases where the combination of data puts the subject victim into the worst position possible, are these organizations confirmed to have offered credit monitoring. Now, there are a large number of unknowns in this area as well—in the majority of the cases, the reports simply do not say one way or the other whether this service is offered. This is a metric primarily gleaned from the original data breach notification letters obtained through either FOIA requests or from those government entities that are directly posting the original documents as part of the event report. For instance, in the Business sector, 38 cases are confirmed that the service definitely is not offered. In the remaining 701 records, the credit monitoring status is not provided.

Estimated Cost of Data Breaches/Year

Year Records Disclosed Cost Per Record Total Breach Records
2005 68,555,563 $138.00 $9,460,667,694.00
2006 80,377,865 $182.00 $14,628,771,430.00
2007 164,813,878 $197.00 $32,468,333,966.00
2008 182,707,769 $202.00 $36,906,969,338.00
2009 261,759,494 $204.00 $53,398,936,776.00
2010 48,080,863 $204.00* $9,808,496,052.00
Total 806,295,432 $156,672,175,256.00
*Cost figure from 2009.

The full The Leaking Vault 2011 report can be found here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: