Posts Tagged ‘breach statistics’

Today’s World Data Privacy Day and what better way to spend it than to take a look at the effects of data breaches. The Ponemon Institute and PGP have released a new report about the Cost of a Data Breach in 2009. In 2008, the cost was found to be $202 per breached record. The 2009 cost per breached record increase to $204, a very marginal increase from the previous year. But it adds up.

The 2009 study examined the records of 45 U.S. companies that experienced a data breach that year, with records lost in the range from 5000 to over 101,000. The study found that, for the first time, companies are spending more on technologies to prevent and remediate breaches. The organizational cost of a data breach, on average, was $6.75 million. The most expensive breach resolution recorded in the study was $31 million.

Given the first-ever increase in technology spending in this category, the areas where spending was concentrated included technologies in encryption, identity and access management, data loss prevention and endpoint security.

In a similar study, the Ponemon Institute found that the cost of a lost laptop in 2008 was nearly $50,000. It is encouraging to see that companies are paying attention to these costs – which include lost customer trust and loyalty - and are investing in technologies, such as those offered by Absolute Software, to mitigate these costs.

What are you doing to help stop data breaches in your organization?

Image: clipart

Earlier this year, we posted about one of the largest data breaches to ever come to light: the Heartland Payment Systems breach that affected as many as 100 million people after their network was compromised. News this month indicates that the breach has cost the company $12.6 million in legal costs and fines from MasterCard and Visa.

In a conference call with investors, Heartland’s CEO, Robert Carr, shared the financial damage that was the result of the Q1 breach. They say that of the $12.6 million charge, less than $1 million is related to fines by Visa, but more than 50% of the cost is associated with a fine from MasterCard. The company is contesting the fines, which allege a failure by Heartland to take appropriate action upon learning of the network compromise.

Carr has been frank about talking about the data breach, and lays some blame on the payment industry itself for not having stringent enough best practices. Though I think it’s great that Heartland is encouraging new best practices, those best practices are a baseline of efforts in any industry. Companies should always be considering their particular risk factors and taking any added measures necessary to mitigate those.

Heartland was recently re-certified as PCI DSS compliant by Visa, MasterCard and Discover. However, much damage has been done to their reputation and, fines aside, the costs of this breach have been severe.

Image: Clipart

Verizon has released its 2009 Business Data Breach Investigations Report, following similar reports earlier this year from the ITRC and Ponemon. The report indicates that 285 million records were breached in 2008. This figure is much higher than the 35.7 million records that the ITRC estimated based on notification letters.

Highlights from the study include:

• 91% of all compromised records were attributed to organized criminal groups
• 99.6% of records were compromised from servers and applications
• 74% resulted from external sources
• 20% resulted from insiders
• 69% were discovered by a 3rd party
• 67% were aided by significant errors
• 32% implicated business partners
• 95% of data breaches were rated as high difficulty requiring advanced skills, significant customization, and/or extensive resources

The most successful breaches involved an attacker exploiting some mistake made by the victim, allowing them to hack into a network and collect data. Hacking and malware were the top single causes of breaches, both up from the figures for 2007.

Although much of the response to this survey has been on the thread of insider threats being lower than expected, I have to argue that the data seems in line with previous data. Although there is an indication that insider threats will go up for 2009, the 20% insider data breach figure quoted here is actually higher than the previously estimated 15.7%. I think fear of future insider threats has simply muddled our perspective of the past year.

The data about insiders, however, has been more revealing. On a per breach basis, insiders were responsible for more records lost, on average, per breach than other causes, such as external sources or partners.

The report suggests that mitigation efforts be focused on ensuring essential controls are met; finding, tracking & assessing data; collecting and monitoring event logs; auditing user accounts and credentials; and testing and reviewing web applications.

Download the breach report here [PDF].

Microsoft just released the 6th volume of its Security Intelligence Report (SIR), which provides perspective on the changing threat landscape in terms of software vulnerability, malware, and the changing face of threats and countermeasures.

The SIR indicates that malicious software infected different versions of Windows at different rates. Vista was less infected than other service packs, all versions of Windows XP having higher infection rates. The data, which is based on millions of Windows users, indicates that total vulnerability disclosures was on the decline while the number of high severity disclosures was increasing each quarter. More than 90% of vulnerabilities disclosed affected applications or browsers (vs the Operating System).

In the second half of 2008, there was a rise in rogue security software, which is software that poses as being anti-malware or anti-spyware, when indeed may do nothing or be malware itself. Be sure to download your software just from trusted sources!

The report looks at data breach incidents from the OSF Data Loss database, indicating that the second half of 2008 could blame 33.5% of all data loss incidents on equipment theft, including that of laptops. Adding in equipment loss, and that total goes up to 50%. Be sure to secure your laptops and be able to see if computers have the latest software updates with our Computrace laptop security solution.

SIR Volume 6, which tracks data between July and December 2008, can be downloaded here.

Via technet

The Ponemon Institute has released its annual study on the Cost of a Data Breach. The 2008 Study indicates that the total average costs of a data breach continue to rise. The average cost per breached record is now $202; the average cost per breach is $6.6 million.

The Ponemon Study tracks a wide range of cost factors that relate to data breaches: from detection & notification to legal ramifications and customer loss (tangible or not). The first study from four years ago helped to identify “direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy.”

The 2008 Study looks at the actual data breach experiences of 43 US companies across 17 industry sectors. This is a larger base sample to draw from, vs the 35 breaches studied in 2007. The breaches in the survey ranged from 4,200 records to more than 113,000 records.

The average cost per breached record has gone up from $182 in 2006 to $197 in 2007 to $202 in 2008. The average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007). The range for costs was anywhere from $613,000 to $32 million.

“In these very tough economic times, businesses cannot afford to lose customers as a result of breach. Although new data breaches are reported each week, and seem to be getting larger, consumers have not become immune. While organizations have learned how to respond to a breach more cost-effectively, customers are increasingly prone to terminate their business relationship due to lost data, producing consistently higher abnormal churn rates.”

The costs of lost business has the highest impact on the per-record breach cost, accounting for 69% of data breach costs. According to the study, breach costs for first-timers (companies with no previous breach history) are higher and that 85% of cases in the study involved companies with more than one major data breach. Insider negligence was the #1 cause of data breaches with over 88% resulting from negligence.

Third-party data breaches, such as those experienced with sub-contractors or business partners lose data, are rising in frequency and in cost. 44% of respondents report a third-party data breach (up from 40% in 2007 and 29% in 2006) with higher per-victim costs than internal data breaches ($231 vs $179). The staggering growth of third-party data breaches would indicate a serious, and costly, oversight in data security planning and accountability.

Other highlights from the study:

• 53% of companies are creating more training and awareness programs to prevent future breaches
• Healthcare and financial services suffer the highest customer loss (average churn rate of 6.5% and 5.5%) after a data breach
• Healthcare data breaches cost $282 per record vs retail data breaches at $131
• 44% of companies have expanded their use of encryption technologies

Download the study here.

Also check out Absolute Software’s recent study with the Ponemon Institute: The Human Factor in Laptop Encryption.

The Identity Theft Resource Center (ITRC) has released their 2008 breach report showing a 47% increase in data breaches over 2007.

2008 Data Breaches Reported – 656

2007 Data Breaches Reported – 446

Keep in mind the key word in this data – reported. More data breaches go un-reported and/or undetected. However, this data still shows a troubling increase in data security issues.

Breaking down the data by sector, the figures are approximately the same as in previous years. The Business sector accounted for 240 breaches, 36.6% of all breaches. Following behind in terms of incidence are Education (20%), Government (16.8%), Medical (14.8%) and Financial (11.9%). The Government sector was the only sector to have a marked decrease in breach incidents over a 2 year period, dropping nearly 50% since 2006.

According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. 8.5% used password protection.

Five categories of data loss methods are tracked: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Insider theft accounted for 15.7% of data breaches, more than doubling between 2007 and 2008. Most breaches, 35.2%, are accidental, falling into the ‘data on the move’ and ‘accidental exposure’ categories.

Based on data collected, 82.3% of breaches were electronic (vs paper) and at least 35.7 million records were potentially breached (based on notification letters / information supplied). Given that one breach alone in 2007 accounted for 25 million exposed records in 2007, it is likely that though the number of breaches went up in 2008, the number of records exposed may have gone down.

You can download the ITRC Stats & Reports here.

Fun read: Ever wonder what a month of spam looks like? Crazy, isn’t it, that one person can receive so much spam!

The Identity Theft Resource Center (ITRC) has issued a press release indicating that the number of breach incidents in 2008 already surpass those in all of 2007.

The ITRC had recorded, as of August 22nd, 449 data breaches in 2008. The total number of breaches for 2007, for the entire year, was 446. In both cases, the actual number of breaches are likely higher due to under-reporting and lack of detection. These breach figures speak to incidents, not the number of entities involved in each event or the number of people affected by them.

Linda Foley, founder of ITRC, attributes part of the growth of the breach list to the ability to access Attorney General notification lists in three states, which outline data breaches that don’t always make it to the mainstream media. Linda also believes that more companies are pro-activiely auditing their systems and identifying breaches that were previously undetected.

The current breach list at the ITRC, which reflects more than 22 million compromised records, is also only a partial list of the problem. In more than 40% of breach events, the number of records exposed is not disclosed or known. Although figures of records breached are often more newsworthy, breach events themselves are a more usable statistic for research purposes, ITRC notes.

Of the 449 breaches in 2008, 11% of them have been the result of contractor breaches. That’s an obvious huge area of concern for businesses to identify, and for security policies to step up.

PogoWasRight asks some very pointed questions about the need for a full disclosure law, the role of the federal government in breach situations, and who exactly is responsible to ensure affected individuals in any case are notified of a breach. The same author also talks about the correlation between breach notification, types of breaches, and fraud.

Via emergent chaos ; image ppdigital @morguefile