Distressing...
Breaches:
Study Shows Over 806.2 Million Records Disclosed, Estimated Cost of
$156.7 Billion
September 8, 2011 by
admin
I’m still playing catch-up with
everything I missed thanks to NatGrid’s profound incompetence in
restoring power after a tropical storm knocked us offline. Here’s
a press release I had missed:
The Digital
Forensics Association announces the release of their second annual
data breach report. “The Leaking Vault 2011- Six Years of Data
Breaches” analyzes 3,765 data loss incidents, with a known
disclosure of 806.2 million records.
Organizations seem
to be in the news on a daily basis for disclosing data
inappropriately. Hundreds of millions of people’s personal private
information has been lost, stolen or otherwise shared with
unauthorized parties. The problem of data breaches is one that
potentially impacts the economic health of the victim organizations,
upstream or downstream partners, and the data subjects who face
direct financial consequences.
Key findings
include:
The Leaking Vault
2011 presents data gathered from studying 3,765 publicly disclosed
data breach incidents, and is the largest study of its kind to date.
Information was gleaned from the organizations that track these
events, as well as government sources. Data breaches from 33
countries were included, as well as those from the United States.
This study covers
incidents from 2005 through 2010, and includes over 806.2 million
known records disclosed. On average, these
organizations lost over 388,000 people’s records per day/15,000
records per hour every single day for the past six years.
The estimated cost
for these breaches comes to more than $156 billion to the
organizations experiencing these incidents. This figure does not
include the costs that the organizations downstream or upstream may
incur, nor that of the data subject victims. Further, it is a low
estimate of the cost, due to the fact that 35% of the incidents did
not name a figure for records lost.
The Laptop vector
remains the leader in incidents, but the Documents vector (printed
material) is fast growing and demonstrates the need to manage both
electronic data assets as well as printed documents. This vector has
been trending upward for several years and is a potential contender
for the incident leader if it continues.
The Hacking vector
remains the records loss leader, responsible for 48% of the records
disclosed in the study. The Drive/Media vector is in second place
with the Web vector in third.
Outsiders continue
to pose the largest risk in terms of both incidents and records
disclosed. When the threat actor is an insider, the incident is
significantly more likely to be accidental in nature. While
accidental incidents are more prevalent, they also cause the most
harm of the insider incidents in terms of records disclosed.
In 65% of the
cases, the data disclosed included the data subject’s name, address
and Social Security Number. In contrast, only 15% of the incidents
disclosed Credit Card Numbers, and 16% disclosed medical information.
Medical disclosures saw a significant increase with the addition of
the 2010 data. This is more likely due to the reporting requirement
of existing regulations going into effect than any actual increase of
incidents. The incidents where criminal use of the
data was confirmed increased by 58% from the prior report.
The two vectors most likely to show criminal use were the Fraud-SE
and Hack vectors.
A quick perusal of the report indicates
that its analyses are based on data collected by the Open Security
Foundation DataLossDB.org project, the Privacy Rights Clearinghouse,
and the Identity Theft Resource Center. This blog, my companion blog
for healthcare sector breaches (phiprivacy.net) and I fuel all three
of those sources – PRC and ITRC rely heavily on my blogs and I’m
a moderator/curator for DLDB. If you’d like to conduct your own
analyses of the more than 4,500 breaches in DLDB, contact OSF for
licensing arrangements and use.
In the meantime, if you know of a
breach I’ve missed – which becomes increasingly likely these days
given all the hacks and leaks – please do let me know by email to
breaches[at]databreaches.net or tweet it to @pogowasright. Thanks!
When all Health Care system are linked,
the number (ans scope) of the breaches will likely skyrocket.
The U.S. Department of Health and Human
Services Office of Civil Rights has submitted its mandated report to
Congress on breach reports it has received. The report covers
incidents reported between September 23, 2009 (the date the breach
notification requirements became effective), and December 31, 2010.
Here are some of the highlights of the report:
Major causes of breaches, as
reported to and by HHS:
The breach reports
submitted to the Secretary in 2009 described four general causes of
incidents: (1) theft; (2) intentional unauthorized access to, use, or
disclosure of protected health information; (3) human error; and (4)
loss of electronic media or paper records containing protected health
information.
[...]
The breach reports
submitted to the Secretary in 2010 described five general causes of
incidents, four of which were also reported in 2009: (1) theft; (2)
loss of electronic media or paper records containing protected health
information; (3) unauthorized access to, use, or disclosure of
protected health information; (4) human error; and (5) improper
disposal. In comparison to 2009, in 2010, the number of individuals
affected by the loss of electronic media or paper records was greater
than those affected by unauthorized access or human error. Moreover,
the reports received in 2010 contained incidents involving an
additional category, improper disposal of paper records by the
covered entity or business associate… Theft was once again the
most common reported cause of large breaches. Among the 207 breaches
that affected 500 or more individuals, 99 incidents involved theft of
paper records or electronic media, together affecting approximately
2,979,121 individuals.
A more refined analysis is contained in
the report.
With respect to the smaller
breaches (i.e., those affecting less than 500 individuals):
HHS received
approximately 5,521 reports of smaller breaches that occurred between
September 23, 2009, and December 31, 2009. These smaller breaches
affected approximately 12,000 individuals. HHS received more than
25,000 reports of smaller breaches that occurred between January 1,
2010, and December 31, 2010. These smaller breaches affected more
than 50,000 individuals.
The majority of
small breach reports in 2009 and 2010 involved misdirected
communications and affected just one individual each. Often, a
clinical or claims record of one individual was mistakenly mailed or
faxed to another individual. In other instances, test results were
sent to the wrong patient, files were attached to the wrong patient
record, emails were sent to the wrong addresses, and member ID cards
were mailed to the wrong individuals.
Useful resources?
Future
of Privacy Forum Releases “Privacy Papers for Policy Makers”
Future of Privacy
Forum is pleased to share the second annual “Privacy Papers for
Policy Makers,” showcasing leading analytical
thinking about current and emerging privacy issues.
Leading
Papers:
-
-
-
-
-
-
Notable
Mentions:
-
-
View the 2010 papers
here.
Since it is easier to beg forgiveness
than to request permission, I'd bet they are already doing this and
now want to acknowledge a small portion of the scope of their
monitoring – perhaps to legitimize evidence shared with law
enforcement?
The
Spy Who Tweeted Me: Intelligence Community Wants to Monitor Social
Media
A research arm of the intelligence
community wants to sweep up public data on everything from Twitter to
public webcams in the hopes of predicting the future.
The project is the brainchild of the
Intelligence Advanced Research Projects Activity,
or Iarpa, a relatively new part of the spy community that’s
supposed to help investigate breakthrough technologies. While other
projects exist for
predicting
political events, the Open Source Indicators program would be
perhaps the first that mines data from social media websites.
… The science underlying the
project is the notion that early indicators of major social upheavals
might be hidden in plain, socially-networked sight. “Some of these
changes may be indirectly observable from publicly available data,
such as web search queries, blogs, micro-blogs, internet traffic,
financial markets, traffic webcams, Wikipedia edits, and many
others,”
the
announcement, published August 25, says. “Published research
has found that some of these data sources are individually useful in
the early detection of events such as disease outbreaks, political
crises, and macroeconomic trends.”
… For those who fear the all-seeing
surveillance state, Iarpa says there are some things the program
won’t do. It won’t be used to predict events in
the United States, for instance. Nor will it be used to track
specific individuals. [“We've already got plenty of tools for
that.” Bob]
(Related) Amusing, but it also makes
clear that “public” areas of Social Networks can easily be
monitored.
Robbery
suspect's Facebook name: 'Willie Sutton Jr'
… The way the Smoking Gun has fired
it up, Hippolite, a 23-year-old New Yorker, came under the suspicion
of the police after bank employees gave them the partial license
plate of a getaway car after a bank heist.
Being servants of the social interest,
the police began monitoring Hippolite's Facebook page. Hippolite
had, presumably, found Facebook's privacy settings of little
interest. Those things are still tough to find anyway.
In their regular readings of
Hippolite's Facebook musings, police reportedly found such thought
bubbles as "I Gotta Get That $$$$$ Man!!!!" and the perhaps
unfortunate "Crime pays my bills!"
It was on July 29, however, that
Hippolite decided his Facebook profile needed a little undercover
identity. So he reportedly changed his Facebook name to
"Willie
Sutton Jr."
Some might admire his enthusiasm for
his apparent
hero, a man who enjoyed a 40-year career of bank robbery but did,
sadly, spend half of his life in jail.
… But he has been arrested for
robberies at three Brooklyn branches of Chase and is a suspect in
another 16 bank heists that all had a similar modus operandi--in this
case, allegedly handing a note to the cashier that read: "GIVE
ME ALL THE MONEY OR ELSE EVERYBODY DIES!!! $100s $50s $20s ONLY."
It may not have helped Hippolite's
ultimate cause that his profile picture shows him holding what seems
like a plethora of $100 bills.
(Related) Doesn't seem to help much
with Guidelines...
Labor
Board: Fired-For-Facebooking Employees Must Be Rehired
It’s no secret that an employer can,
and probably should, do a little check-up on your internet presence
before hiring you, and possibly afterwards. But as several unhappy
people have found out, sometimes they look pretty hard, and have
access to information you thought private. It can result in
foot-in-mouth moments and occasionally punitive action. That was
certainly the case when five workers were fired for their conduct on
Facebook.
The post in question was a complaint
about someone else’s complaint, and other employees joined
in, including the person being complained about. A few days later,
they were sacked; their employer said that the posts constituted
harassment.
The workers felt their rights had been
violated, and took it to the National Labor Relations Board. And
incredibly,
an
NLRB judge has just ruled that all five must be hired back. I
say “incredibly” because judicial comprehension of tech issues is
a serious problem. Judge Arthur J. Amchan seems to have a head on
his shoulders, though.
He stated that the employees
had not forfeited the protection of the law in their speech, which
was well within the bounds of normal discussion of workplace
conditions for which one can’t easily be fired.
The size of the precedent being set
isn’t clear. It’s certainly a victory, but to blow it out of
proportion would be a mistake. This was a one-time offense with some
coffee-break jabbering — a fairly easy thing for the judge to see.
But questions abound. What if it was systemic? What if it was in
private messages? What if it had been going on for weeks? Months?
What if the person being harassed has left the company?
It’s entirely possible that a company
could institute a contract policy in which employees essentially do
forfeit their right to private communication. And the line past
which behavior becomes not just undesirable but a fireable offense
isn’t clear at all. Like many other areas where communication is
moving to new platforms, the boundaries have to be tested, and this
ruling extends the safe zone by a little bit.
“Throw the book at them, Danno” Is
there an International Organized Crime treaty?
"The Obama administration wants
hackers
to be prosecuted under the same laws used to target organized crime
syndicates, according to two officials appearing in front of the
Senate Judiciary Committee on Wednesday morning. From the article:
'Associate Deputy Attorney General James Baker and Secret Service
Deputy Special Agent in Charge Pablo Martinez said the
maximum sentences for cyber crimes have failed to keep pace with
the severity of the threats. Martinez said hackers
are often members of sophisticated criminal networks.
"Secret Service investigations have shown that complex and
sophisticated electronic crimes are rarely perpetrated by a lone
individual," Martinez said.'"
Boys and their toys.
Lawyers
and security experts share concerns over app security – ABA Journal
An article in the ABA Journal
highlights the concerns that law professionals find with popular
apps.
Chicago, September 7, 2011 – A recent
article posted on the
ABA Journal news site,
“App-solutely
Perilous? Security of Mobile Apps Spurs Concern” by By Richard
Acello, points to findings by viaForensics as a cause for concern
over the security of many mobile apps. The article states “lawyers
may be especially vulnerable because of the varying levels of
technical savvy in the profession, and because the apps in question
provide services attractive to them.”
viaForensics provides a free
appWatchdog
service aimed at providing the public with information about
potential insecurity of popular mobile applications. The hope is
that developers will be motivated to take all appropriate measures to
secure their apps.
Read the full ABA Journal article
here.
(Related) Does this suggest why
Lawyers like the BlackBerry?
South
Africa joins the call for BlackBerry messaging keys
Bill Ray reports:
South Africa has
joined the call for access to the BlackBerry Messaging service,
quoting the usual security concerns and pointing out that the UK
plans much the same thing.
BBM, the BlackBerry
messaging service, has become the medium of choice for the discerning
ne’er-do-well, which is strange considering it is a good
deal less secure than the email offered by the same handset. But the
instant nature of messaging appeals to everyone, prompting the new
action from the South Africans:
“There is
evidence that criminals are now using BBM to plan and execute crime,”
the deputy comms minister
told
his audience at a London conference on African
telecommunications: “We want to review BBM like in the UK and Saudi
Arabia.”
A list of free and useful stuff.
"InfoWorld's Peter Wayner
provides an in-depth
look at the state of open source software and an overview of the
best open source software of the year. 'It's easy to find hundreds
of other positive signs of open source domination. If the mere
existence of a tar file filled with code from the nether regions of a
beeping device that's buried deep inside someone's pocket is all you
need to feel warm and fuzzy about "open source," you might
conclude that open source development is the most dominant form in
the increasingly dominant platform of the future,' Wayner writes.
'But anyone who digs a bit deeper will find it's not so simple.
Although the open source label is more and more ubiquitous, society
is still a long way from Richard Stallman's vision of a world where
anyone could reprogram anything at any time. Patents, copyrights,
and corporate intrigue are bigger issues than ever for the community,
and more and more people are finding that the words "open
source" are no guarantee of the freedom to tinker and improve.
Some cynics even suggest that the bright, open future is receding as
Linux
and other open source tools grow more dominant.' Included in the
writeup are the best
open source applications, best
open source desktop and mobile offerings, best
open source development tools, and best
open source software for datacenters and the cloud."
This could be handy... I did a search
on “Privacy” and the first entry in “Find privacy nearby” was
the Sturm College
of Law at DU.
WDYL:
Search All Google Products On A Single Webpage
Google users often find themselves
clicking on the “Images”, “Video”, and similar links at the
top of the search results page when they use Google. This is done to
get search results from different Google products. Fortunately you
will no longer have to spend an extra click to get those additional
results, all thanks to WDYL “What Do You Love”.
What Do You Love is a new page launched
by Google that presents the search results of a query from all Google
products. The search results are displayed in individual boxes
placed next to one another. Each box has an arrow to browse over to
the next result . A box on the far left lets you easily navigate the
page.
Also read related articles:
Another handy tool
Google
Takeout: Download All Your Google Data
Facebook is not the only online place
you store valuable data; you also have important information stored
in your Google account. Buzz, Contacts, and Picasa jointly hold a
lot of your important information. Realizing that users might want a
backup of their online information, Google has now launched a new web
service entitled Takeout.
Takeout is a new web service by Google
that lets it users download all their data stored in Google accounts.
In addition to your Google Profile information, data is downloaded
from Picasa, Contacts and Circles, and Google Buzz. The data is
compressed into a ZIP archive and made available for download.
Google will gradually be adding more
products to Takeout so you can create a backup of all your Google
services.
I love technology projects my students
can enthusiastically participate in... Now if we can only get past
Step One: Empty the can
Boost
Your WiFi Signal Using Only a Beer Can