Hackers, insiders blamed for US data breach growth

Taking a leak

By John Leyden, 8th January 2009

Customer Success Testimonial: Recovery is Everything

US organisations lost even more sensitive data in a greater number of information security screw-ups last year, according to a new survey.

A study by the Identity Theft Resource Center (ITRC) calculated that 35 million data records were exposed last year in 656 admitted incidents, up 47 per cent compared to the 446 data loss calamities logged in 2007. Since an estimated 40 per cent of breaches go unreported, the true number of exposed records is likely to be far higher than headline figure suggest, ITRC explains.

The vast majority of data breaches that were reported last year involved data unprotected by either encryption or even password protection. Only in 25 (2.4 per cent) of all breaches involved encrypted data, while password protection came into play in just 8.5 per cent of cases.

ITRC monitor press reports and statutory disclosures to monitor five categories of data loss: data lost in transit, accidental exposure, insider theft, subcontractors, and hacking.

Computer malware, hacking, and insider theft accounted for 29.6 per cent of recorded breaches, where the root cause of the attack is known. One in six breaches (15.7 per cent) were blamed to insider theft, a figure that's more then doubled between 2007 and 2008.

More encouragingly, data losses due to human error rather than malign action dropped in frequency while still accounting for more than a third of cases (35.2 per cent), again where the cause of a breach has been determined.

Meanwhile, electronic breaches (82.3 per cent) continue to outnumber paper breaches (17.7 per cent) by almost four to one, ITRC concludes. US government organisation were inflicted in fewer breaches last year while screw-ups in the private sector showed a corresponding rise.

A full breakdown of the incidents logged by ITRC, on which it bases its report, can be found here (PDF warning). ®

Ensure Ease of Recovery with Asigra’s Agentless Software

COMMENTS

House Rules Send Corrections

All Reader Comments (5)

Latest Comments

Posted Friday 9th January 2009 20:52 GMT

Anonymous Coward

In other news,

A junior Zanew Labour minister asked the ITRC to prepare a report for the British Government on the status of Westminster's data security.

When the analysts finally stopped ROTFL(t)AO, they pointed out that, even if they devoteds 100% of their resources to the task, the report would not be ready before 2015 at the very earliest, and that there were insufficent trees in the Amazon rainforest for a document that size.

The minister's response to ITRC was last seen in a briefcase on the last train to Clarkesville, between a stuffed walrus and a filing cabinet labelled "beware of the leopard"...

Posted Friday 9th January 2009 11:41 GMT

Anonymous Coward

security is cheap

i have seen lots of large corporations with public exploits from free software running on their systems. ive been into the sales dept of 2 large super markets in america watching the staff processing orders. also with some various large online retailers have basic sql injection vulnerabilites. ive even seen sites that say "godaddy secure tested" or "verisign secure" that have very trivial or dangerous vulnerabilities.

Posted Friday 9th January 2009 00:32 GMT

Anonymous Coward

Nothing to do with business practices. Oh no.

Yeah, its the hackers and insiders. It has nothing at all to do with businesses choosing to buy their technology and tech services from the lowest bidder. Nothing at all to do with that.

It also has nothing at all to do with business leaders being utterly clueless about technology, and deploying stuff for the sake of it. Businesses suffer from "keeping up with the Jones'" as much as middle England.

And the value that personal data has has nothing at all to do with the greed of banks and financial institutions. Personal data has an artifically high value because all a fraudster needs is some personal info and he can take out loans in your name, or all the other tricks they get up to. The eagerness of banks to loan money without taking real steps to confirm who they are speaking to means that they ended up relying on security through obscurity: hoping that only the customer knows their name, age, addresses, mother's maiden name etc.. Lenders also don't want the customers to think too hard about whether borrowing is a good idea, so John Public being able to ring some company and have them loan money over the phone there and then is what lenders want. Just take a look at some of the horrible adverts on daytime TV aimed squarely at the financially clueless for products like remortgages.

Of course, blaming hackers on the other side of the world plays to people's prejudices against minority groups and people who might have a different skin colour. Rich business owners also seem to think that given half a chance anyone will rip them off[1], so it must be the insiders too.

[1] Being the fully qualified internet-couch-psycologist that I am I determine that that is a classic case of projection...... how did the rich guy get rich in the first place? It wasn't through generosity or charitable contributions, I can tell you that!