Posts Tagged ‘breach report’

The Identity Theft Resource Center (ITRC) has released their 2008 breach report showing a 47% increase in data breaches over 2007.

2008 Data Breaches Reported – 656

2007 Data Breaches Reported – 446

Keep in mind the key word in this data – reported. More data breaches go un-reported and/or undetected. However, this data still shows a troubling increase in data security issues.

Breaking down the data by sector, the figures are approximately the same as in previous years. The Business sector accounted for 240 breaches, 36.6% of all breaches. Following behind in terms of incidence are Education (20%), Government (16.8%), Medical (14.8%) and Financial (11.9%). The Government sector was the only sector to have a marked decrease in breach incidents over a 2 year period, dropping nearly 50% since 2006.

According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. 8.5% used password protection.

Five categories of data loss methods are tracked: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Insider theft accounted for 15.7% of data breaches, more than doubling between 2007 and 2008. Most breaches, 35.2%, are accidental, falling into the ‘data on the move’ and ‘accidental exposure’ categories.

Based on data collected, 82.3% of breaches were electronic (vs paper) and at least 35.7 million records were potentially breached (based on notification letters / information supplied). Given that one breach alone in 2007 accounted for 25 million exposed records in 2007, it is likely that though the number of breaches went up in 2008, the number of records exposed may have gone down.

You can download the ITRC Stats & Reports here.

Fun read: Ever wonder what a month of spam looks like? Crazy, isn’t it, that one person can receive so much spam!

Who Breached: Starbucks
Number Affected: 97,000
Information breached: Social Security Numbers
How: stolen laptop

Starbucks Corp. confirmed this week that a laptop containing the information of 97,000 employees was stolen.

A Starbucks laptop containing names, addresses and Social Security Numbers was stolen on October 29th. It is not clear if the laptop was protected in any way, or how it was stolen.

In 2006, Starbucks reported the theft of four laptop computers, so it is sad that such an issue would again come to light. In 2006, the breach affected 60,000 Starbucks employees / partners. Although the Starbucks statement to employees, after this most recent breach, indicates that the company is taking step to protect data, including encryption, one would hope that those steps would have occurred in the 2-year period since the last breach. A copy of the letter sent to affected Starbucks employees can be found here.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute.

Other major data breaches for November, 2008:

• Luxottica Group, 59,000+ affected, hacker [read more]
• University of Florida College of Dentistry, 344,000+, compromised server [read more]
• Christus Health Care, thousands, stolen backup tapes [read more]
• Harvard Law School, 21,000, lost backup tapes [read more]
• North Carolina Division of Aging and Adult Services, 85,000+, lost laptop [read more]
• Baylor Health Care System Inc., 100,000, stolen laptop [read more]
• Arizona Department of Economic Security, 40,000, stolen hard drives [read more]

And in other news…

And in a very strong statement by Canada’s Privacy Commissioner Jennifer Stoddart, Canada was called to shame for inaction on cybercrime. Stoddart called it an “embarrassment” that Canada does not protect the rights of individuals with provisions such as anti-spam legislation, strong identity theft legislation, or mandatory data breach provisions. Read more about this here.

Via datalossdb

Who Breached: Deutsche Telekom’s T-Mobile
Number Affected: 17 million
Information breached: Social Security Numbers
How: laptop

T-Mobile, subsidiary of Deutsche Telekom, has issued notice that a major data breach from 2006, affecting 17 million customers, has resurfaced as an issue. The information included names, addresses and phone numbers. No banking details were lost.

The data loss occurred in 2006, but details of the breach event became public on October 4th, 2008 in this statement. The company published this report publicly after a German news magazine reported that the data was up for sale on the Internet.

Deutsche Telekom says that a data storage medium with records for 17 million people was found, and that there was no record of unauthorized use of the data. However, the German news magazine found the data online for sale. The data includes home address and unlisted phone numbers for celebrities, business leaders, government ministers and more.

Here is an excerpt from Duetsche Telekom’s response:

In spring 2006, Deutsche Telekom immediately reported the theft to the responsible public prosecutors’ office. Within the scope of their investigations, the public prosecutors’ office was able to recover storage media. Extensive research conducted over several months on the Internet and in data trading places could not reveal any clues indicating that the data had been offered or disseminated on the black market. Owing to this, Deutsche Telekom assumed that there would be no dissemination of the data. However, Der Spiegel was apparently able to access the data in question via third parties.

The company expresses concern that the breach incident is relevant once again, being previously under the assumption that the matter had been closed. They “regret to say that [they] have not been able to protect… customer data in line with [their] standards.”

Deutsche Telekom says that security measures have been significantly tightened since 2006. These measures include: complex passwords, access authorization, and access monitoring, among other measures. They have set up a FAQ on the data breach here.

Other recent notable data breaches:

• University of North Dakota – Stolen Laptop, 84,554 affected [more]
• University of Indianapolis – Hacker, 11,000 affected [more]
• The Whittington Hospital NHS Trust – lost CDs, 17,990 affected [more]
• CCN – hacker, 98,930 affected [more]

Via datalossdb.org, vnunet, NY Times

Who Breached: GS Caltex
Number Affected: 11,000,000
Information breached: Social Security Numbers
How: Insider stealing data

Four people have been arrested in connection with a major data breach at GS Caltex, a Total Energy Service provider based out of South Korea. This is being called the country’s largest data breach to date.

Earlier this month, CDs and DVDs containing the names, Social Security numbers and email addresses of 11 million GS Caltex customers were found in the garbage in Seoul. The data included information on government officials, lawmakers and politicians.

Investigators on the case say one of the suspects exposed the leak to the media in a publicity campaign aimed at boosting the market value of the data! This is the first time I’ve heard of such a tactic.

The four people arrested on Sunday included two employees of a GS Caltex subsidiary. One suspect is alleged to have copied the data base while working at a call center.

The data was copied onto several CDs and DVDs, which presents several issues: that sensitive data could be accessed by a call center employee, that data could be copied to external devices, and that none of this was being tracked internally.

Other recent large data breaches:

• National Technical Institute for the Deaf, 13,800 Affected, Stolen Laptop – more here
• Louisiana Real Estate Commission, 13,000 Affected, Insider Accident – more here
• InterActive Financial Marketing Group (IFMG), 92,095 Affected, Hacker – more here

Via datalossdb.org, AFB