This information was reportedly made available online as the result of several initiatives. From what the report indicates, at least 250,000 bank / credit accounts were hacked into. Other information was the result of phishing, a process that dupes individuals to give over their details (such as log in details or credit card details). The information was intercepted over a four-year period by a British company, Lucid Intelligence, and collated into a single database, allowing these figures to be determined for the first time:

The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world.

The report from The Times indicates that other sensitive information, such as corporate email access details, is being sold in online forums or hacking websites. This puts companies at risk for data breach issues.

Individuals can search the database for free, for now, to see if their information has been sold online. It will specify what information about you is known – whether it’s just your email address, your mailing address, or more high risk information such as banking details. You can learn more about the initiative here.

It’s quite an interesting venture – what do you think about it?

The Information Commissioner, Richard Thomas, announced that the number of data breaches reported since November 2007 has reached 277. November 2007 marks when HMRC lost 25 million child benefit records (story here). Of those 277 breaches, 28 are attributed to the central government. The ICO is investigating 30 of the most serious breaches of this past year.

In a speech delivered to the RSA Conference, Commissioner Robert Thomas talked about the state of data security, or “data insecurity“, he adds. The HMRC data breach of 25 million child benefit records merely brought the existing data security issues to public and political attention, Thomas notes.

“The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total.”

Arguing that information can be a “toxic liability” as well as an asset, Robert Thomas challenges CEOs to ensure that they are minimizing the amount of data they hold and that appropriate data security measures are being taken. He says this responsibility lies with the CEO, not with the IT department or other staff.

“It’s no good saying the IT boys are looking after this, it’s no good saying the lawyers are sorting out the policies, it’s no good saying human resources are doing the training – it’s right across the organisation.”

Richard Thomas notes that personal information is the lifeblood of both government and business, but that more responsibility needs to be taken to assure that data remains safe. The first step in that is to understand the risks being faced associated with the vast centralized stores of data and its portability across networks and devices.

The ICO continues to offer advice on data security, from the encryption of laptops to improved data access policies. As noted several times by the ICO in their report, the actual figures for data breaches probably are much higher than 277. Currently there is no legal obligation to report data losses in the UK, and many data breaches may go undetected.

Out of the 277 reported breaches, 67 were due to the loss or theft of a computer or laptop. The National Health Service (NHS), the worst breach offender so far for 2008 with 75 breaches, has had 27 of those breaches the result of lost or stolen computers. Learn how Computrace can help provide multi-layered security solutions for your computers here.

Further Reading:

• ICO Press Release – Privacy watchdog calls on CEOs to take responsibility for data protection safeguards [PDF]
• Transcript – Speech to RSA Conference Europe on data breaches
  Richard Thomas, Information Commissioner [PDF]
• ICO Chart – Data security breaches since November 2007, by breach type and sector

Via BBC

The supplemental report compares risk factors among the various industries: finance, food, retail and tech. It identifies some important insights into the data, such as that, among all industries, the financial services industry is at the greatest risk of insider data breaches. In other sectors, business partners posed a higher risk to data.

“The supplemental report provides further insight into the nature of breaches, underscoring that good security does not lend itself to a cookie-cutter approach.” – Dr. Peter Tippett, vice president of research and intelligence, Verizon Business Security Solutions

The supplemental report indicates that financial service firms are the targets of more sophisticated attacks that often take weeks to discover. That said, financial organizations were shown to have a higher level of asset awareness and to detect breaches more quickly than other organization types. Breaches from lost systems, like laptops, tend to occur less frequently.

The data breach investigation report found that the majority of breaches could be avoided by reasonable security measures, so this supplemental report aims to help identify what industry-specific differences could lead to better proactive security measures.

Other key findings include:

• High-tech organizations: had a difficult time keeping track of information assets, affected by malicious insiders more than others, hacked more than others
• Retail: more data breaches than other sectors, wireless network attacks growing quickly, too reliant on third-parties to discover breaches, most attacks are opportunistic
• Food and beverage: many breaches involve third-party remote access to payment card data, poor security configurations are exploited, POS systems are used to spread malware, and breach detection is very poor

Resources:

• 2008 Data Breach Investigations Report [PDF]
• Verizon Business Supplemental Report [PDF]

And a fun piece of educational reading – spammers are more likely to use Obama than McCain in the subject line of spam emails [read here].

Via CSO Online, Information Week

The 5 recommendations for turning employees into security assets are:

1. Make data security part of the company culture - getting department managers involved in locating sensitive data & setting access, use & protection policies; training employees for their own use and on ensuring others observe policies
2. Integrate data leak prevention processes into overall workflow – have policies on data access & tracking that extend to new data, new employees, new departments and for mobile computing (or other new threat vectors)
3. Make employees feel like security assets, not liabilities – with training and awareness programs
4. Prevent the temptation to engage in “harmless” policy violations – by clarifying grey areas like taking data offsite, copying or storing data and transporting data
5. Teach employees about policies while enforcing them – take action quickly and block actions that are not desirable. Have data leak protection technologies to monitor and prevent leaks, but also to educate employees if they try to do something that is against policy.

Read more details about these recommendations here.

Cyber-Ark interviewed 300 IT security professionals for their annual survey. This year, 88% of respondents said that, “if laid off tomorrow, would take valuable and sensitive company information with them.” And that’s just counting the respondents who were honest enough to admit they’d act unethically!

When asked what information employees would take, the target information includes: CEO’s passwords, customer database, R&D plans, financial reports, M&A plans and a list of company passwords.

“Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it’s often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data” – Udi Mokady – president and CEO of Cyber-Ark.

Most companies may be unaware of the full list of admin passwords that an IT employee has access to, and this could prove dangerous. Privileged passwords that access sensitive information should be secured and routinely changed, particularly when IT employees leave.

Other interesting survey results:

• One third of companies believe internal espionage and data leaking has resulted in data going to competitors or criminals
• One quarter have suffered data breaches by internal sabotage and/or IT security fraud
• 35% send sensitive or confidential information via email (an insecure medium, most of the time)
• One third of IT administrators admit to keeping passwords on post-it notes
• One third admit to snooping on the network to look at confidential information like salary details, personal emails, meeting minutes, etc

Via network world ; Clipart via Microsoft / Presentation Pro